February 4, 2020
“One who is persistent will excel.”
This quote gets a whole new meaning when we talk about TA505 aka ‘Evil Corp’ latest infection tactic. Microsoft Security Intelligence recently unveiled that this financially motivated group is back in action.
TA505 is known for constantly modifying its malware and standing behind Clop and Locky ransomware, as well as notorious Dridex banking trojan. Just by inspecting references to their actions for the past 5 years everyone can realize this is a trend-setter in the cybercrime business.
In its latest malware campaign, TA505 is using Microsoft Excel as a payload delivery vehicle, doing it with a twist.
So what’s so new about the latest TA505 trick?
In one of the more recent campaigns, malicious actors from Russia implemented HTML redirectors in emails. While meta refresh tags for redirection are nothing new for phishing emails, ‘Evil Corp’ was not using this method of bypassing web browser phishing filters until now.
This can be achieved by instructing a web browser to refresh the web page or frame after a predetermined time interval, in this case – mere seconds. It is possible to set instructions that instruct the browser to fetch a different URL after refreshing the page.
When opened, HTML leads to that malicious Excel file getting downloaded on your machine automatically. While that’s not ideal, the final payload is dropped when the user “enables editing” of that Excel file. Interestingly enough, the attackers maintain all the vision, as an IP trace-back service is used to track the machines that downloaded the file.
As mentioned in the original Twitter thread surrounding this alert, Microsoft Threat Protection provides protection and detects URLs and malicious attachments in emails. It also detects and blocks malicious HTML and Excel files and payload on the endpoints.
While having Microsoft Office 365 ATP can be great for your security, something as basic as telling your employees to never enable editing of content or editing of the file that downloaded itself can be crucial.
This cybercrime gang behind this infection method has also leveraged malicious Word documents that abused dynamic data exchange in the past, used malware to gather credentials from FTP clients and Outlook, made their malware look like actual .pdf and .lnk files.
They are not limited in their options, and users working with documents coming from email should be aware of that.
The U.S. Justice Department did not offer a $5 million bounty for information leading to the arrest and conviction of ‘Evil Corp’s’ leader for nothing. This Russian network stole approximately $100 million from businesses and consumers, after all.
More information about the personnel involved in these operations can be found on Brian Krebs’ website.
While you might disagree that a Russian hacking group may be interested in your particular company, nobody can argue that email is still the #1 attack vector in 2020. Additionally, people seem to agree that a strong cybersecurity culture is as helpful in preventing similar attacks, as technical solutions deployed within the company.
You can only find materials that would help to build it, and “The Art of Email Security” fits the bill perfectly. It teaches you not to click on links, not to interact with files you didn’t download yourself, and also shows you how to identify phishing emails without wasting too much energy.
Sometimes it takes just 5 minutes to prevent a crime from happening. Investing time in the right education is probably the best solution one could find to mitigate the risk of phishing attacks that won’t stop terrorizing the business and its customers.
With criminal groups finding new ways to exploit our everyday tools, we really can’t get away without learning the basics.