TA505 hacking gang uses SDBbot RAT to attack European companies

News by Rene Millman

New campaign by TA505 hacking gang harvests Active Directory credentials to aid movement

The TA505 cyber-crime group has remerged to carry out attacks, the latest campaign involves deploying the SDBbot remote-access trojan (RAT).

According to a blog post by researchers at IBM’s X-Force Incident Response and Intelligence Services (IRIS), this trojan has remote-access capabilities, accepts commands from a C&C server such as video recording, and has the ability to exfiltrate data from the victimised devices and networks.

“On infected systems, this malware could grant attackers extensive ability to drop and execute additional malicious payloads, control infected systems and perform actions the legitimate user would have access to. Remote-access Trojans are one of the most prevalent tools in targeted attacks as they facilitate that type of control for remote attackers,” said Melissa Frydrych, a researcher at IBM.

One example of a recent attack saw the hackers send a malicious email to employees purporting to be from an HR representative’s account. The email body impersonated Onehub, inviting the recipient to download a malicious document named Resume.doc.

The employee receiving this email downloaded and opened the document, which contained malicious code. Once the code was executed, a persistence mechanism was installed and a malicious password harvester was executed.

“In this instance, once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The actor used the initially compromised system to escalate privileges and move laterally across additional systems on the network,” said Frydrych.

The email was also designed to extract Active Directory (AD) discovery data and user credentials and to infect the environment with the SDBbot RAT.

She added that it is expected that this group will “continue to target a wide range of industries using social engineering to deliver open-source and custom malware while constantly adjusting TTPs and C&C infrastructure to evade detection”.

David Erel, senior director, SaaS Platform at SentinelOne, told SC Media UK that the main danger with RATS is that they make illegitimate use of perfectly legitimate functionality that your admins need.

“No modern business can run an effective IT support service without the ability to remotely login to users’ computers for troubleshooting and other support tasks. RATS piggyback on the same remote access services that legitimate tools like TeamViewer use, exploiting Windows Remote Desktop (RDP) and TCP networking protocols to install a backdoor to the attacker’s own machine,” he said.

“For defenders, the increase in RAT activity means there is both a requirement to stop attacks dead at the initial stage, and to have visibility over your entire network to detect any threats that might have escaped your first layer of security. Implementing firewall control and network traffic policies can help you monitor and block unwanted connections and ports that will help thwart attackers.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews