The TA505 cybercrime group has ramped up its attacks lately, with a set of campaigns bent on spreading the persistent SDBbot remote-access trojan (RAT) laterally throughout an entire corporate environment, researchers said.
SDBbot RAT is a custom job that has been observed in TA505 attacks since at least September 2019; it offers remote-access capabilities and has a few spyware aspects, including the ability to exfiltrate data from the victimized devices and networks.
“SDBbot has the ability to perform typical RAT functions, such as communicating with command-and-control servers (C2s), receiving commands and obtaining system information,” according to Melissa Frydrych, researcher with IBM X-Force Incident Response and Intelligence Services (IRIS), writing
in an analysis posted Tuesday on the campaign. “On infected systems, this malware could grant attackers extensive ability to drop and execute additional malicious payloads, control infected systems and perform actions the legitimate user would have access to.”
In one set of recent campaigns extensively analyzed by IBM X-Force targeted emails were sent to enterprise employees in Europe. The malicious emails purported to be messages coming from the HR department via Onehub, which is a legitimate, cloud-based file-sharing application for businesses.
The messages had attached, macro-enabled documents called simply “Resume.doc.” And if opened, they ultimately delivered the SDBbot malware, via a dropper containing embedded dynamic-link libraries (DLLs) and the use of an installer component, according to the firm.
The messages also contained code that harvested Active Directory credentials in order to elevate privileges and compromise other machines in the network.
“The emails were designed to extract Active Directory (AD) discovery data and user credentials, and to infect the environment with the SDBbot RAT,” explained Frydrych.
