TA505 Seen Using P2P RAT in New Operations

[silversurfer]

Content source

https://duo.com/decipher/ta505-seen-using-p2p-rat-in-new-operations

A threat group known for deploying the Clop ransomware and Dridex trojan is now using a unique remote administration tool that can communicate directly with other compromised hosts via a peer-to-peer network.

Researchers at NCC Group have been tracking the activity from a group known as TA505 for several months and they’ve discovered at least three distinct networks of infected machines. The RAT that the group is deploying bears some resemblance to other tools that TA505 uses, such as a similar programming style to a tool known as Grace that the group has deployed for several years.

The new RAT that NCC Group discovered is relatively simple and includes three individual components: a loader, a signed driver, and a tool that performs the communication with other nodes on the network. Once the downloader is on a new machine, it checks the operating system version and then contacts the remote command-and-control server and downloads several other files, including the P2P binary itself, some drivers, and lists of processes, drivers, services, registry keys, and files to filter.

The signed driver that the downloader installs performs most of the other pertinent actions, such as decrypting shellcode, copying it, and then running the payload. The P2P functionality in the RAT uses the UDP protocol for communication. “After the initialisation phase has been completed, the sample starts sending UDP requests to a list of IPs in order to register itself into the network and then exchange information,” the researchers said.

Security Without Fear - Decipher

duo.com