In my very first two blogs I gave you an overview of Emotet - probably the biggest threat actor for now when talking about malware. I explained details of its modular structure and which tricks Emotet uses to stay undetected. And of course, I talked about the consequences for defenders. Want more?
This time I would like to introduce another big threat actor to you: TA505. This is a globally spread malware, which acts mainly out of financial motivation. TA505 has been active since 2014, but we at Telekom Security have seen increased activity of this group, especially since the second half of 2019. I would like to show you which tools TA505 uses in contrast to Emotet to sneak into companies and organizations. So, here we go.
As of February 2020, they are mostly known for Big Game Hunting operations, in which they target large organizations with their ransomware attacks. This in turn ensures very high ransom payouts, easily in the range of six figure Euro amounts. For instance, TA505 targeted the University of Maastricht in December 2019 and demanded 30 bitcoins (BTC), roughly €220,000 at time of valuation, as ransom. Subsequently, the University of Maastricht took the decision to acquire a decryptor to get back their data.
Big Game Hunting operations can take from a couple of days up to one year. This includes the initial compromise of one or more endpoints in a network, the subsequent network exploration and lateral movement, the takeover of strategic points like domain controllers, and the final deployment of the ransomware to as many endpoints on the local network as possible.
As these operations comprise different stages, TA505 utilizes a wide range of hacking tools to accomplish their missions. Furthermore, they continuously change and update their toolset. For instance, they added the downloader Get2 and the Remote Access Trojan (RAT) SDBBot to their repertoire of malware in mid-2019. These frequent changes and updates are a major difference to the group behind Emotet (TA542 / MUMMY SPIDER), whose tools remain unchanged for long periods of time. I blogged on this group a couple of weeks ago. In this blog article, I will review hacking tools that TA505 is currently using.
Before we dive into TA505 current tool set, let us first have a look at how these tools are packed. As of time of writing, and at least since the second half of 2019, TA505 utilizes a custom packer to obfuscate its tools. While custom packers always mean more work, since they may require manual unpacking of the payload, they are a perfect way to track threat actors.
In addition to this custom packer, TA505 may pack their tools a second or even a third time with UPX. I observed that TA505 packed their Get2 downloader with one layer of UPX, a second layer of the TA505 packer, and a final third layer of UPX again (see Hashes in Appendix).
In a nutshell, the TA505 packer decrypts its payload using simple xor and rol/ror operations and its technical details are well covered by this blog article. There is no need to manually unpack TA505 binaries, since Tera0017 published a static unpacker. This unpacker is called TAFOF-Unpacker and it is available on github. As of time of writing, it works with the latest TA505 x86 binaries. Unfortunately, TAFOF-Unpacker does not work for x64 binaries yet. Thorsten Jenke and Daniel Plohmann provided the generic unpacker RoAMer, which is capable of unpacking the latest TA505 x64 binaries.
Let's look behind the packer
Now that we know how TA505 currently packs its tools and how to unpack them, let us have a look behind the curtains and see which tools TA505 is currently using. Throughout the last months, I obtained 121 samples that were packed by the TA505 packer. 46 samples are x86 binaries and 75 samples are x64 binaries. TAFOF-Unpacker unpacked all x86 binaries and RoAMer unpacked roughly 80% of all x64 binaries. In the following, I will review the tools that I found in the order of when they are typically utilized in a Big Game Hunting operation: from the initial malicious document to the final ransomware. Note that there are some outliers that I will address in this section as well as at the end of this article. A full listing of all samples and their classification can be found in the Appendix.
The Spam and The Maldocs
TA505 carries out high-volume spam campaigns to gain its initial foothold in an organization. As of February 2020, the spam emails come with an HTML redirector attachment, which points to a server with an office / a share-hoster themed domain name.
This server typically serves Microsoft Excel documents. These documents include a malicious VBA Macro and try to lure the victim to activate Macros.
If the targeted user enables Macros then the embedded VBA Macro loads either a x86 or x64 embedded payload. As of February 2020, this is typically the Get2 downloader.
The Downloader: Get2
Get2 is a very simple downloader. It has only two objectives. First, it calls home to its Command and Control (C2) server and exfiltrates information regarding the victim’s system. This information includes the username, the device name, the Windows version, and the list of running processes. Based on this information, the C2 server decided to serve another payload to Get2. Second, Get2 executes the payload provided by its C2 server. As of February 2020, this is typically the RAT SDBBot.
Another Downloader: Amadey
Even though Get2 seems to be current downloader, I found one Amadey dropper sample packed with the TA505 packer. Amadey is a very simplistic downloader that is sold for $600 in the Russian cybercrime underground. There is only one Amadey sample in the corpus that I analyzed. There could be many possible reason for this, which I will address at the end of this article.
The RAT: SDBBot
Since September 2019, I have observed SDBBot to be a consistent third stage payload, which Get2 downloads. SDBBot is a Remote Administration Tool (RAT) that a human operator utilizes to prepare lateral movement.
Its capabilities include, amongst other, execution of further payloads, video recording, enabling of RDP, as well as listing, writing, and deleting of files / directories. A good write-up about SDBBot's capabilities can be found here. SDBBot is very prevalent in my data set. A huge share of the x64 samples was SDBBot, however, there were no x86 samples of SDBBot. This is in line with the market share of 64 bit Windows. Another explication could be that x86 SDBBots are packed differently and therefore the data set does not comprise any of them.
Another RAT: FlawedGrace
FlawedGrace is another RAT that was first observed in 2017. It seems to be exclusively utilized by TA505 at this point in time. In my data set there were only two FlawedGrace samples and dozens of SDBBot samples, which may indicate that FlawedGrace was mostly replaced by SDBBot.
Yet Another RAT: Silence
Silence is a RAT that is (exclusively) developed and operated by the Silence Group, a presumably Russian cybercrime gang. They carry out attacks against financial organizations. Group-IB pointed out a connection to TA505, stating that the downloader of TA505's RAT FlawedAmmyy and the downloader of Silence are similar. Finding Silence packed with the TA505 packer suggests a possible on-going collaboration of these two gangs, although possibly a minor one due to the low sample count of two.
The Information Stealer: Azorult
Azorult is a classic information stealer that steals saved passwords, credit card information, and cookies from browsers, as well as credentials from a wide range of software such as Filezilla, Microsoft Outlook, and Thunderbird. Potential use cases of TA505 could be utilizing stolen credentials for lateral movement, feeding stolen mail account credentials back to the spamming stage, or selling them to the highest bidder. Researchers at Blueliv also observed other information stealer like Predator The Thief in the context of TA505.
The Post-Exploitation Tool: TinyMet
TinyMet is a very small (around 4KB) stager for Metasploit's Meterpreter. Its main objective is to establish a communication channel between the attacker and victim and to execute a file-less payload on the victim's machine.TA505 utilizes TinyMet during the post-exploitation phase in order to deploy their ransomware Clop.
The utilization of public Offensive Security Tools (OSTs) by threat actors involved in Big Game Hunting operations is a common trend. It is logical since these OSTs provide capabilities that threat actors do not have to build on their own. In addition, many of them are freely available, either as open source software or as cracked versions (e.g. Cobalt Strike).
The Preparation Tool: DeactivateDefender
TA505 proceeds the last stage of rolling out their ransomware by deactivating security tools. The objective is preventing any behavioral analysis from stopping their ransomware and the ongoing encryption process. The tool DeactivateDefender achieves this by changing Windows Defender related registry keys. In my sample set, I only found several samples that deactivate Windows Defender, though there seem to be variants, which target other security tools like Malwarebytes.
The Ransomware: Clop
TA505 finishes its Big Game Hunting operations with their ransomware Clop. At this stage the threat actor must be pretty confident that their operation will succeed: strategic points of the target network have been taken over and antivirus software has been disabled. As a consequence, Clop encrypts many, if not all, endpoints of the target network within minutes. From a technical point of view, Clop emerged as a variant of another ransomware called CryptoMix but by now it seems to be developed separately.
In this blog article, I have had a look at a partial set of TA505 tools that are currently in use. Note that this is only a snapshot of their toolset. A couple of weeks ago, Blueliv mentioned additional tools like the RAT ServHelper and a modified TeamViewer client. In general, TA505 continuously replaces parts of their toolset. They have abandoned many tools and they certainly will abandon at some point the tools I observed. One of TA505 tactics seems to continuously change their tools to evade detection and to make tracking more difficult.
Having reviewed the tools that are behind the TA505 packer, there are many questions that one now could pose regarding TA505 and this packer: is TA505 one group or several groups? Or is it a group of subgroups that share one packer? Or do they share their packer with affiliated groups like Silence? Or is the TA505 packer not exclusive to TA505 and it just another packer sold in the cybercrime underground? I believe that this packer is exclusive to what is publicly tracked as TA505 since the majority of samples are in line with what is publicly tracked as TA505. Only few samples seem to be outliers. For instance, the Amadey downloader sample, which could have been an experiment or a service to a client / affiliated group. Otherwise I would have expected to see more samples of this early stage tool like in the case of the Get2 downloader. And in the case of the Silence RAT, there seems to be at least some form of cooperation between TA505 and Silence Group. Even though these outliers exist, the vast majority of samples falls into the Big Game Hunting category.
Another question regarding TA505 that may come to one’s mind is whether there is another branch of TA505 that carries out more targeted attacks (e.g. as reported by BlueLiv and by FireEye) or it is the same group that carries out these attacks. At least the ServHelper RAT that is mentioned in the BlueLiv report (see Appendix) seems not to be packed with the TA505 packer, which is another modus operandi. In fact, FireEye started to track this subset of what is publicly tracked as TA505 as another group.
Hashes of representative samples
Dissecting Emotet - Part 2
Cybersecurity: This modular botnet is active at least since 2014 but became very powerful. Thomas Barabosch explains how it works, module by module.