A very, very new campaign by a hacking gang known as TA505 steals Active Directory credentials to aid movement.
TA505 cyber-crime group has re-emerged to make attacks – this latest campaign involves deploying the SDBbot Remote-Access Trojan (RAT).
IBM
Recently, a blog post by a number of researchers at IBM’s ‘X-Force Incident Response & Intelligence Services (IRIS)’ explains further that this trojan has remote-access capabilities, does accepts commands from a C&C server such as video recording, & does even have the capability to extract significant data from the target’s devices & networks.
Infected
“On infected systems, this malware could grant attackers extensive ability to drop and execute additional malicious payloads, control infected systems & perform actions the legitimate user would have access to. Remote-access Trojans are one of the most prevalent tools in targeted attacks as they facilitate that type of control for remote attackers,” carefully explained Melissa Frydrych, who is a Researcher at IBM.
Hackers
A recent attack by the hackers worked like this. It sent a malicious email to employees that actually pretended to come from an ‘HR representative’s’ account. This email body impersonated ‘Onehub’, & then went on to ask the recipient to go on to download a highly malicious document that named itself ‘Resume.doc’.
The employee receiving this email downloaded, & then went on to open the document, which of course contained very malicious code. When the code was then executed, a ‘persistence mechanism’ was immediately installed, & a malicious password ‘harvester’ went on to be executed.
CobaltStrike
“In this instance, once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The actor used the initially compromised system to escalate privileges & move laterally across additional systems on the network,” she then commented.
This email was also carefully crafted to then extract Active Directory (AD) discovery data, & also user credentials, and then to infect the entire environment with the SDBbot RAT.
C&C infrastructure
Melissa then added that it is felt that the group will “continue to target a wide range of industries using social engineering to deliver open-source and custom malware while constantly adjusting TTPs and C&C infrastructure to evade detection”.
Said David Erel, Senior Director, SaaS Platform at SentinelOne, “the main danger with RATS is that they make illegitimate use of perfectly legitimate functionality that your admins need.”
Piggyback
“No modern business can run an effective IT support service without the ability to remotely login to users’ computers for troubleshooting & other support tasks. RATS piggyback on the same remote access services that legitimate tools like TeamViewer use, exploiting Windows Remote Desktop (RDP) and TCP networking protocols to install a backdoor to the attacker’s own machine,” he further explained.
RAT activity
“For defenders, the increase in RAT activity means there is both a requirement to stop attacks dead at the initial stage, & to have visibility over your entire network to detect any threats that might have escaped your first layer of security. Implementing firewall control & network traffic policies can help you monitor and block unwanted connections and ports that will help thwart attackers.”
Teeth
A dangerous RAT indeed, so be on the lookout for those ‘sharp little teeth’!