Level 62
Content Creator
Malware Hunter
TA505, the Russian-speaking threat actor known for operating the Dridex Trojan and Locky ransomware, has been using a new remote access Trojan (RAT) in recent attacks, Proofpoint reports.

Dubbed SDBbot, the backdoor is being dropped via Get2, a new downloader that distributes other payloads as well, including FlawedGrace, FlawedAmmyy, and Snatch. The RAT was initially observed in attacks on South Korean users, as a secondary payload to the FlawedAmmyy RAT.

The cybercriminals have been using the Get2 downloader since early September. Initially, it delivered FlawedAmmyy and FlawedGrace, but switched to dropping SDBbot in early October.

As part of these attacks, new Microsoft Office macros were used specifically with the Get2 downloader, Proofpoint’s security researchers report.