TA505 is a cybercrime group that has been active since 2014, targeting Education and Financial institutions. In February 2020, Maastricht University, a public university in the Netherlands, reported that it was a victim of TA505’s massive ransomware attack using phishing emails. TA505 usually uses phishing emails to deliver malicious Excel files that drop payloads once they are opened. TA505’s phishing emails use attachments featuring an HTML redirector for delivering the malicious Excel files, according to research conducted by TrendMicro in July 2019. Recently, a new phishing email campaign using the same attack strategy was discovered by the Microsoft Security Intelligence team. In this blog post, we will take a look at the files used in the attack and explore how OPSWAT’s Deep Content Disarm and Reconstruction technology (Deep CDR™ Technology) can help prevent similar attacks.
Vectores de ataque
O fluxo de ataque utilizado é muito comum..:
- Um e-mail de phishing com um anexo HTML é enviado para uma vítima.
- Quando a vítima abre o ficheiro HTML, descarrega automaticamente um ficheiro Excel com uma macro maliciosa.
- Este ficheiro Excel liberta uma carga maliciosa quando a vítima o abre
Os ficheiros HTML e Excel foram examinados em metadefender.opswat.com no início de fevereiro de 2020.
O ficheiro HTML foi identificado como uma página falsa do Cloudflare com JavaScript relativamente simples para redirecionar os utilizadores para uma página de descarregamento após 5 segundos.
O ficheiro Excel contém várias macros ofuscadas.
Quando a vítima abre o ficheiro e ativa a Macro, aparece um falso Windows Process UI, que na realidade é um formulário Visual Basic, fazendo a vítima pensar que o Excel está a configurar algo.
Em segundo plano, a Macro é executada e descarrega alguns ficheiros no sistema da vítima com os seguintes caminhos de ficheiro: C:\Users\user\AppData\Local\Temp\copy13.xlsx, C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sample_.dll (RAT)
How can Deep CDR™ Technology protect you from the phishing attack?
If the HTML file is sanitized by Deep CDR™ Technology, all risk vectors will be removed, including Javascript. After the process, the user opens the sanitized file without the mentioned redirection. As a result, the malicious Excel file can’t be downloaded either.
Additionally, TA505’s phishing campaigns used to send the malicious Excel file as an email attachment to its victims directly. Again, Deep CDR™ Technology is effective in this case. It removes every Macros, OLE and also recursively sanitizes all images in the file.
Conclusão
It is witnessed that TA505 is very active with email phishing campaigns nowadays. Various sophisticated malware types have been used to increase the chances of getting into your system. Enterprises are advised to improve their employee phishing awareness training as well as their security system. MetaDefender Core leveraging 6 industry-leading cybersecurity technologies, in combination with MetaDefender Email Security, brings the most comprehensive protection to your organization. MetaDefender’s Multiscanning technology utilizes the power of more than 35 commercial AV engines to detect nearly 100% known malware, while Deep CDR™ Technology against zero-day attacks by unknown threats. Besides, as an essential PII protection layer, Proactive DLP prevents sensitive data in files and emails from entering or leaving your organization.
Agende uma reunião com um especialista técnico de OPSWAT para saber como proteger a sua organização contra ciberameaças avançadas.
Referência:
- A Universidade de Maastricht paga 30 bitcoins como resgate ao grupo TA505
- Mudança de tática: A utilização de HTML, RATs e outras técnicas pelo grupo TA505 nas últimas campanhas
