A financially motivated threat actor believed to speak Russian has used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide, Israel-based security firm CyberInt reports.
Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as
Shifu and
Dridex, as well as for the massive
Locky ransomware campaigns observed several years ago.
Over the past months, the actor was observed switching to new backdoors in their attacks, including
tRat, which is modular in nature, and
ServHelper. Both RATs are written in Delphi.
In attack campaigns launched between December 2018 and February 2019, TA505 was observed employing the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, as well as retailers in the United States, CyberInt says in a new report (
PDF).
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}