Cyber Attack

TA505 Hackers Group Spreading FlawedGrace RAT Via Mass Email Campaigns

A massive malicious email campaign from the TA505 group has been recently discovered targeting users in Germany and Austria through which the threat actors are spreading FlawedGrace RAT through emails.

This current campaign has been linked with the TA505 hacking group, whose members have used the Dridex banking Trojan and tools in their past attacks, and here are the tools we have mentioned below:-

  • FlawedAmmyy
  • FlawedGrace
  • Neutrino botnet
  • Locky ransomware

Evolving Campaigns

With a range of small waves of e-mails delivering only a few thousand messages at each stage the attacks began, and while the number of letters spiked in late September to hundreds of thousands.

The whole scenario got changed in late September and in early October 2021; as in this time frame the hacking group, TA505 began sending higher email volumes to more industries, which accounts for tens to hundreds of thousands.

Commonalities to Historic TA505 Activity

If we will compare the current campaign with the earlier campaigns of TA505, then you will see lots of similarities between them. And the similarities are:-

  • Emails
  • Landing pages
  • Excel graphic lures
  • Domain naming conventions
  • Code reuse

Here the threat actors after opening malicious Microsoft Excel attachments trick the users into activating macros and then install the next stage downloaders by downloading an obfuscated MSI file.

Once done the above procedures, after that, they install an updated version of the FlawedGrace remote access Trojan. While here in this stage, the loader scaffolds are coded in uncommon languages, and here they are:-

  • Rebol
  • KiXtart

Commands followed by FlawedGrace RAT

FlawedGrace is first discovered in November 2017, and it is a full-featured RAT that is written in C++, which is specifically designed to prevent reverse engineering and analysis. 

The Trojan can receive and follow the following commands through a custom binary protocol on TCP port 443 from its C&C:-

  • target_remove
  • target_update
  • target_reboot
  • target_module_load
  • target_module_load_external
  • target_module_unload
  • target_download
  • target_upload
  • target_rdp
  • target_passwords
  • target_servers
  • target_script
  • destroy_os
  • desktop_stat

Apart from this, the TA505 is a financially motivated hacking group that is well-renowned for conducting malicious email campaigns on an unprecedented scale.

Not only that even this group also changes their TTPs frequently and that’s why this group is considered as one of the leaders in the cybercrime world.

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Google Revealed RETVec to Defend Malicious Emails & Spam for Gmail Users

The text-to-dense representation techniques vary, evolving from character bi-grams to advanced subword vectorizers, combating OOV…

2 days ago

New Android Malware FjordPhantom Spreads Covertly Via Email, SMS, & Messaging Apps

In the ever-evolving realm of cybersecurity, Promon, a trailblazer in mobile security solutions, has brought…

3 days ago

New SugarGh0st RAT Delivered via Malicious Windows Shortcut & JavaScript

Hackers use Remote Access Trojans (RATs) to gain unauthorized access and control over a victim's…

3 days ago

Black Basta Ransomware Received Over $100 Million From Victims

Black Basta, the fourth-most active ransomware strain with more than 329 victims, has reportedly made…

3 days ago

Notepad++ Input Validation Flaws Leads to uncontrolled Search Path Vulnerability

Notepad++ has been discovered with an uncontrolled search path vulnerability, which could allow threat actors…

3 days ago

WhatsApp Secret Code Feature Lets Users Set Unique Locked Chat Passwords

WhatsApp has announced the rollout of a new feature to safeguard sensitive conversations. The Secret…

3 days ago