CyberInt Reports: Suspected Russian-speaking Threat Actors “TA505” Continues Cybercrime Spree Against Global Retailers and Financial Institutions (Apr 17, 2019)
CyberInt Research Labs have observed continuing campaigns conducted by the financially-motivated threat group called “TA505.” The group, which has been active since at least 2014, primarily uses spear phishing emails distributed to financial institutions and retail companies to compromise organizations with Remote Access Tools (RATs) such as “Remote Manipulator System” (RMS). Using a legitimate RAT can assist the group in remaining undetected on a network because malicious traffic may appear authentic while actually it is malicious activity conducted by the threat group.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.