The TA505 cybercrime group has ramped up its attacks lately, with a set of campaigns bent on spreading the persistent SDBbot remote-access trojan (RAT) laterally throughout an entire corporate environment, researchers said.
SDBbot RAT is a custom job that has been observed in TA505 attacks since at least September 2019; it offers remote-access capabilities and has a few spyware aspects, including the ability to exfiltrate data from the victimized devices and networks.
“SDBbot has the ability to perform typical RAT functions, such as communicating with command-and-control servers (C2s), receiving commands and obtaining system information,” according to Melissa Frydrych, researcher with IBM X-Force Incident Response and Intelligence Services (IRIS), writing in an analysis posted Tuesday on the campaign. “On infected systems, this malware could grant attackers extensive ability to drop and execute additional malicious payloads, control infected systems and perform actions the legitimate user would have access to.”
In one set of recent campaigns extensively analyzed by IBM X-Force targeted emails were sent to enterprise employees in Europe. The malicious emails purported to be messages coming from the HR department via Onehub, which is a legitimate, cloud-based file-sharing application for businesses.
The messages had attached, macro-enabled documents called simply “Resume.doc.” And if opened, they ultimately delivered the SDBbot malware, via a dropper containing embedded dynamic-link libraries (DLLs) and the use of an installer component, according to the firm.
The messages also contained code that harvested Active Directory credentials in order to elevate privileges and compromise other machines in the network.
“The emails were designed to extract Active Directory (AD) discovery data and user credentials, and to infect the environment with the SDBbot RAT,” explained Frydrych.
The Infection Routine
If an employee was duped into opening the document, it executed a code tasked with establishing a persistence mechanism and the malicious password harvester, according to the researcher.
“In this instance, once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files,” Frydrych wrote in the analysis. She added, “The investigation led our team to the discovery of a file named wsus.exe (a version of TinyMet, a tiny, flexible Meterpreter stager), along with three additional files that were created and executed on the first compromised system.”
The three additional files make up SDBbot. There’s an installer, a loader and the payload itself.
X-Force IRIS found that the SDBbot RAT installers are x64-packed and decrypt parts of SDBbot’s code and strings upon execution. “If regular user privileges are running, the installer component will establish persistence using the registry Run and execute [the next stage],” Frydrych said.
The SDBbot RAT loader meanwhile decompresses and executes the SDBbot payload. Its DLL files were installed as persistence mechanisms, where the loaders were injected into the process winlogon.exe to execute every time the process was called.
As for the SDBbot RAT payload itself, it retrieved a C2 address from a hard-coded file or from a default server. It then gathered system information to the C2 and then awaited further instructions.
In the campaign, TA505 used the initially compromised system to escalate privileges and move laterally across additional systems on the network using the AD credentials harvested earlier, according to the researcher. To maintain access to the additional systems, the malware executed malicious PowerShell services running as the local SYSTEM, and also installed bind shells, she noted.
“A Meterpreter reverser shell was used in order to remotely control compromised systems within the internal network,” Frydrych explained. “It was installed as a service using the execution of an encoded PowerShell script. The malicious PowerShell command decodes into a reverse shell connecting back to two malicious IP addresses.”
Ongoing Activity
TA505 (a.k.a. Hive0065) is a financially motivated cybercrime group that has been actively targeting various industries, including finance, retail and restaurants, since at least 2014. It’s known for ongoing malware authoring and development, including fully-fledged backdoors and RATs – and the SDBbot campaign is not the only appearance by the gang of late.
In January for instance, a new backdoor named ServHelper was spotted in the wild, acting as both a remote desktop agent as well as a downloader for a RAT called FlawedGrace. According to Frydrych, recent campaigns have including a variety of payloads, including the Dridex and TrickBot banking trojans, and ransomware such as Clop/Cryptomix, Locky and MINEBRIDGE.
In March, IBM X-Force observed TA505 using COVID-19 themed phishing emails to deliver both Locky and Dridex. The targets included healthcare organizations, which were sent emails purporting to come from medical research groups and offering supposed coronavirus remedies in exchange for bitcoin payments.
“We expect to see this group continue to target a wide range of industries using social engineering to deliver open-source and custom malware, while constantly adjusting TTPs and C2 infrastructure to evade detection,” concluded Frydrych.
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.