Analysis of TA505 Malspam Campaign & Infection Chain
Summary
TA505 is a well-known financially motivated and sophisticated crimeware group. Activity from the group can be traced back to at least 2014, through distribution of the malware known as Dridex. Since then, TA505 has continued to expand capabilities and associated toolsets using custom remote access Trojan’s, information stealers, malware downloaders and have even been observed deploying ransomware such as ‘Locky’ in the past and more recently ‘Clop’, while demanding large payments. Primary targets of the group include financial institutions, restaurants and retail companies, however over the years victim location and industry appear to have broadened.
The threat actor’s primary delivery mechanism has traditionally been large-scale mass phishing campaigns using malicious attachments or spearphishing links to macro-embedded Office documents. In September 2019, researchers at Proofpoint uncovered campaigns that observed TA505 using a new downloader referred to as FRIENDSPEAK (aka. “Get2”, “GetAndGo”). Get2 was used as a first stage to download additional malware such as FlawedGrace, FlawedAmmyy and most recently SDBbot, a remote access Trojan.
This article will examine the different components of the large TA505 malspam campaign discovered in mid-August.
Technical Analysis
The most recent wave of TA505 campaigns tend to vary between senders, but appear to use a few common subjects.
Observed campaigns subjects include the following
- Name shared “Corrected PO07601 — AUG2020” with you”
- “Potential Timesheet — Error Correction AUG20XX
- Need Confirmation
- Registration Form_EXHIBITOR
The HTML email bodys in the campaign have used One-Drive, O365 and Citrix Sharefile themes.
A quick look at the one of the email headers yields helpful information regarding the source of the actual sender. The bottom-most “Received” line shows the initial server, which matches the “Return-Path” line at the beginning of the headers. These tend to vary between emails.
Each email contains a number of URL redirects that vary, demonstrating an extensive delivery network. Emails analyzed tend to show around five different URLs with .html extensions.
Some examples include:
- hxxp://audio-pa-service[.]de/0br2ay.html
- hxxp://thebaileysuites[.]com/n6h26.html
- hxxp://tepetate[.]com/0pnaq5n.html
- hxxp://edog2017.karyamedia[.]net/2aevw.html
Samples appear to use JavaScript, specifically window.location.href to redirect the victim to the site hosting the malicious document. Earlier reports allude to iframes being used to facilitate redirects as well.
While the number of redirects is difficult to track, only a handful of URLs have been currently observed hosting the malicious document, in all cases an Excel file. In some cases, URLs are using CAPTCHA methods to bypass automated URL analysis.
- hxxp://one-drives[.]com
- hxxp://digital-space[.]com
- hxxp://backup-place[.]com
- hxxp://near-fast[.]com
- hxxp://filesharess[.]com
Hashes will also vary from document to document, making them less valuable indicators.
The document itself contains a number of macros for dropping the Get2 downloader on the victim machine. Get2 is a newer downloader malware written in C++ and used in recent TA505 campaigns. The name was derived from the DLL export name used in the initial sample that was analyzed. Successive campaigns used different export names.
A quick examination of the Excel document through OleVBA identifies a number of malicious attributes.
Once executed, the document copies itself to “%TEMP%\academl.xlsx”.
The embedded object “xl\embeddings\oleObject1[.]bin” inside the Microsoft Excel spreadsheet is copied into the %TEMP% directory. The DLLs inside oleObject1.bin are extracted and copied into “Appdata\Roaming\Microsoft\Windows\Templates”.
The srt_join1.dll is for 32-bit execution while the srt_join2.dll is for 64-bit execution.
The DLL files are FRIENDSPEAK (aka. Get2, GetandGo) downloaders. Another important note is that they are digitally signed and verified using Sectigo certificates adding further legitimacy to the malware. The following information is signature data taken from the sample (SHA256: d5c234579d1b51ea826c3dfd8251a82397fd0e9d6ee456d4f7b00bf58b7031a0).
INFINITE PROGRAMMING LIMITEDName INFINITE PROGRAMMING LIMITEDIssuer Sectigo RSA Code Signing CAValid From 03:12 PM 08/21/2020Valid To 03:12 PM 08/21/2020Valid Usage Code SigningAlgorithm sha256RSAThumbprint 7239764D40118FC1574A0AF77A34E369971DDF6DSerial Number 4E 8D 4F C7 D9 F3 8A CA 11 69 FB F8 EF 2A AF 50
Examining the structure of each DLL using open source tools such as Ghidra and Capa show noticeable distinctions between the two files. Presumably, different packing techniques appear to be utilized. The 32-bit DLLs import table consist only of Kernel32.dll and has more functions that are readable. The 64-bit DLL has four imports and shows more obvious anti-analysis techniques leveraging the IsDebuggerPresent API. We ran both of the files through Fireeye’s Capa tool in order to highlight some of the differences. The images below show the 32-bit DLL and then the 64-bit DLL.
Samples were also run through Intezer sandbox to identify any code overlap with other malware. The most notable discovery was shared code with a number of samples throughout 2019 that include associated VirusTotal reports with engines showing signatures for Gracewire (FlawedGrace). It is unclear whether a code overlap exists with Get2 and other TA505 tools or various anti-malware engines incorrectly categorize the malware.
Finally, after the DLLs are executed, C2 traffic containing certain host details have been observed sending information to the following domains (this is not a comprehensive list of the C2 network)
- See-back[.]com
- Siron-del[.]com
It is at this point that the second stage is pulled down on the machine. The second stage has been identified as SDBbot. SDBbot is a newer remote access Trojan (RAT) written in C++ that is being delivered by Get2 in the most recent TA505 campaigns.
The persistence mechanisms as identified by researchers include the use of autorun registry keys, however past TA505 campaigns have been noted to use application shimming, a technique that can be used to execute malicious code when legitimate processes start. Part of the current campaign also downloads a version of Putty SFTP onto the victim machine, which could be leveraged in this manner.
References
Proofpoint
Get2 Downloader
SDBbot
