New Backdoor and Malware Downloader Used in TA505 Spam Campaigns (Jul 4, 2019)
The financially-motivated threat group “TA505” has once again been found to have added a new malware to their arsenal, according to Trend Micro researchers. The first week in July has brought with it two publications by Trend Micro and Proofpoint, both of which identified the new downloader called “Gelup” by Trend Micro, and “Andromut” by Proofpoint. Trend Micro also observed TA505 implementing another new malware into their spam email campaigns dubbed “FlowerPippi” that is delivered via malicious attachments. FlowerPippi can function as a downloader and as a backdoor and is capable of stealing information and running commands received from a Command and Control (C2) server.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.