TA505 Active: Updates to ServHelper and FlawedAmmyy Malware (Aug 27, 2019)
According to researchers at TrendMicro, threat actor “TA505” is actively targeting banks in Turkey, Serbia, Romania, Korea, Canada, the Czech Republic, and Hungary, utilizing phishing techniques to compromise systems. The group is targeting the banks with emails that have ISO file attachments as an initial infection vector. As in previous operations, TA505 is using either “FlawedAmmy” remote access trojan (RAT) or ServHelper as payloads, and continues to make a combination of small adjustments to their deployment techniques. According to researchers at TrendMicro, the adjustments and updates made to the FlawedAmmyy RAT and ServHelper may indicate that the group is evaluating which forms of obfuscation can bypass detections and yield more financial returns.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.