Russian-Linked TA505 Threat Group Drops New Financial Malware; Bad Luck For Banking
By: Jim Stickley and Tina Davis
January 2, 2022
If there aren’t already enough Russian-linked attack groups to be concerned about, one of these groups recently returned to its criminal activity. Known as TA505, this group is widely known for attacks on retail and financial institutions and their customers. Originally using the infamous Dridex banking trojan for attacks, TA505 is now pointing at financial targets with a new and highly effective banking trojan campaign dubbed MirrorBlast. TA505 has compromised more than 1,000 victims the world over, including in the U.S., Canada, Europe, and Hong Kong among many others.
Researchers from Morphisec Labs learned TA505’s MirrorBlast campaign began in April of this year and then restarted again in September. With this latest campaign focused solely on financial services, TA505 delivers MirrorBlast via phishing emails sent to employees. The emails contain a malicious link hidden in Excel files.
Opening the link downloads the malicious Excel file, one that easily evades most detection-based security including Google’s VirusTotal scanning engine. The Excel document contains macro code with MirrorBlast virus written in the same language as software apps like Excel. It’s a sneaky and highly effective campaign by the Russian-linked TA505.
Due to its highly elusive nature, this latest malspam campaign is particularly dangerous to financial organizations and their customers. It’s never too much to continuously remind and train employees and others connecting to the network how to identify attempting phishing attacks. Sticking to the once a year or upon hire approach won’t cut it when groups and attacks like these are always evolving.
Some items to add to your cybersecurity awareness plan can include:
- Never clicks links or attachments in email, unless there is absolute certainty the message was intended for the recipient and it’s from someone known. If it is out of the blue or is odd in any way, it should be considered suspect.
- Watch for misspelled names, sloppy grammar and punctuation, as well as unclear, incorrect, or blurry logos.
- Don’t call phone numbers or “reply” to messages that are suspicious. Instead, use known contact information found independently of the message.
- Threat actors historically target financial services because of the massive amounts of data they hold and their resources to quickly pay extreme ransom demands.
As a reminder, Dridex is a notorious financial malware best known for ransomware campaigns that steal and encrypt data from banks and their customers. Dridex, like most malware continues to improve over time, morphing into different versions at least as harmful as the original. The potential for TA505 to return to Dridex is always a possibility. But for now, the threat group seems content using MirrorBlast as their preferred criminal attack method. Stay tuned.