Level 62
Content Creator
Malware Hunter
The threat actor best known for operating the Dridex banking Trojan and the Locky ransomware has started using a new downloader in June, Proofpoint reports.

Referred to as TA505 and believed to speak Russian, the financially motivated threat actor has proven highly prolific over time, being associated with the use of banking Trojans such as Shifu and Dridex, ransomware, and various backdoors, including ServHelper and FlawedAmmyy.

Last month, Proofpoint’s security researchers noticed TA505 using a new Trojan downloader to deliver the FlawedAmmyy full-featured remote access Trojan (RAT). Dubbed AndroMut, the downloader shows code and behavior similarities to Andromeda, a long-established malware family.

AndroMut was observed in two separate campaigns, both using HTM or HTML attachments linking to a Word or Excel file containing malicious macros to execute an Msiexec command and download and execute either AndroMut or a FlawedAmmyy loader.