Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware (Apr 25, 2019)
Researchers at Cybereason have uncovered a highly-organised attack against a financial institution in April 2019. The attack is attributed to the threat group "TA505," and features a targeted phishing campaign with the objective of installing a backdoor called "ServHelper." The group distributed emails containing a Microsoft Excel spreadsheet posing as "work orders" that requests macros to be enabled. If enabled, a Windows process called "msiexec.exe" is triggered and connects to a server to download the first payload. With the malware on the system, the ServHelper backdoor gathers information about the target computer including the users SID, an Admin group identifier, the machine's date and time, and additional information related to the machine's system. In using legitimate Windows processes, the malware is able to avoid detection. It appears the goal of this campaign is reconnaissance and information gathering.
Recommendation: Documents requiring the user to enable a feature is often a sign of a phishing attack and should be avoided. Therefore a known and trusted sender should be contacted to verify the legitimacy of the content. Attachments from unknown senders should not be opened.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.