Attacks on inexperienced Excel users. The hacker group TA505 (Threat Actor 505, also called Graceful Spider or Gold Tahoe) has launched a whole series of digital attacks on companies, including a campaign specifically in German-speaking countries.
|The messages with which the criminal hacker group TA505 attacks companies and private users in Germany and Austria look like this or something similar.|
Since the beginning of September 2021, the experts from the US cybersecurity specialist Proofpoint have again been monitoring malware campaigns by the TA505 hacker group. The group obviously has considerable financial resources, as it has been responsible for some of the largest digital attacks via e-mail in the past. In the process, malware such as Dridex and The trick (both for spying on login data for online banking) or the blackmail software Locky and Jeff for use. The campaigns now observed, spanning a variety of industries, started with low numbers of emails. The volume has been increasing since the end of September and is now reaching hundreds of thousands of emails in October.
|If the content of the Excel file is activated, the users install software to spy on the login data for online banking or encrypt their PC and then have to pay a ransom to decrypt it again.|
Many of the campaigns, especially the high volume ones, are very similar to TA505’s activities in 2019 and 2020. Similarities include similarities in domain names, email lures, Excel file lures, and the use of remote access -Trojaners (RAT) FlawedGrace.
“Never open files of unknown origin,” warns Sherrod DeGrippo, Proofpoint’s senior director of threat research and protection. “The TA505 hacker group is currently attacking users in Germany and Austria again with a series of cyber campaigns. If you click on a file belonging to the criminals, the PC will be encrypted and only decrypted for a ransom. Another tactic used very often by the perpetrators is the theft of login data. “
She also recommends: “Private users should simply delete the entire e-mail from the unknown sender. If you receive a suspicious email on your company PC, notify your company’s IT department immediately. This takes care that nothing bad happens. “
October 13, 2021 Landing page brandingand OneDrive abused.
TA505 is an established threat actor, financially motivated and known for running malicious email campaigns on unprecedented levels. The group regularly changes its TTPs and is considered a trendsetter in the world of cybercrime. This threat actor does not limit its goals and is indeed an opportunist when it comes to which regions and industries to attack. This, combined with the TA505’s ability to be flexible, focus on the most lucrative goals, and change its TTPs as needed, makes this actor a constant threat.
Proofpoint researchers anticipate that TA505 will continue to adapt its operations and methods, always with financial gain in mind. The use of intermediate chargers in its attack chain is also likely to become a longer-term technique of the threat agent.