Connect with us

Plato Vertical Search

Cyber Security

Russia-Linked Threat Actor TA505 Targeting Financial Institutions in Multiple Geographies

In a new campaign targeting financial institutions throughout the globe, the Russia-linked threat actor TA505 has been seen employing a lightweight Office file to distribute malware.

The attacks have low detection rates in Google’s VirusTotal scanning engine, and they target firms in Canada, the United States, Hong Kong, Europe, and beyond.

The effort, dubbed MirrorBlast, began in early September, following similar activity in April 2021, according to Morphisec’s security researchers.

The infection chain begins with phishing emails that transmit a malicious document, then progresses to the Google feedproxy URL, which uses SharePoint and OneDrive lures disguised as file share requests.

The URLs direct the victim to a hacked SharePoint or a phoney OneDrive site, allowing the attackers to remain undetected. Additionally, a SharePoint sign-in requirement ensures that sandboxes are avoided.

Because of ActiveX compatibility difficulties, the macro code utilised in these assaults can only be run on 32-bit versions of Office. If the computer name matches the user domain and the username is admin or administrator, the code is responsible for anti-sandboxing.

Morphisec thinks the attacks are being carried out by the famed Russia-linked threat actor TA505, commonly known as Evil Corp, based on the detected TTPs connected with the MirrorBlast campaign.

Excel documents go to the Rebol/KiXtart loader, SharePoint/OneDrive lure themes are used, and specific domain names are used in the infection chain. Furthermore, TA505 has already been linked to a website that one SharePoint lure links to, as well as other artefacts.

Advertisement. Scroll to continue reading.


OwnBackup Raising $240 Million in a Series E Funding Round at a Valuation of $3.35 Billion

TA505, a financially motivated adversary active since at least 2014, is most known for using the Dridex Trojan and the Locky ransomware. However, over the last few years, the gang has shifted to using a variety of malware families, including off-the-shelf malware as well as genuine tools.

“TA505 is one of numerous commercially oriented threat organisations operating in the market today. They’re also one of the most inventive, as they have a proclivity for shifting the attacks they use to attain their objectives. “For TA505 or other innovative threat organisations, this new attack chain for MirrorBlast is no exception,” Morphisec said.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.



Related Streams


Today, despite the risks in using cryptocurrencies as well as the moves to tighten control over cryptocurrencies by the governments, cryptocurrencies are increasingly widely...


MyTona has become the first company in Russia to announce its plans in the Metaverse sector. The Yakutsk-based game developer said in a release...


ELON and its astronomical surges have always managed to astonish people from the crypto-space. For instance, the said coin quite recently registered a massive...


Play-to-earn gaming platform Axie Infinity recently posted on Twitter that “A Genesis Land Plot just sold for 550 ETH.” Amounting to $2.3 million, it...