The New TA-505 Shadow on Italian Precision Industry

Introduction

Few days ago, our CSDC monitoring operations detected a suspicious email coming from a domain protected by a Panama company. This condition rang a warning bell in the analysis team, so the email has then been escalated to the Cybaze-Yoroi ZLAB to investigate further.

Digging into this malicious artifacts opened up to a possible raising interest of the infamous TA-505 in the Italian Precision Industry.

Technical Analysis

On October 25, our systems detected a suspicious email coming from the “validtree.com” domain. The domain “validtree.com” is registered through Namecheap on 2017-12-07T15:55:27Z, but it has been recently renewed on 2019-10-16T05:35:18Z. The registrant is protected by a Panama company named WhoisGuard which hides the original registrant name. Currently the domain points to 95.211.151.230 which is an IP address assigned to LeaseWeb a VPS hosting provider located in Netherlands, Europe. Attached to the email a suspicious word document was waiting to be opened from the victim.

Hash 7ebd1d6fa8c21b0d0c015475ab8c7225f949c13a33d0a39b8c069072a4281392
Threat Macro Dropper
Brief Description Document dropper
Ssdeep 384:nFZ5ZtDGGkLmTUrioRPATRn633Dmej0SnJzbmiVywP0jKk:n1oqwT2J633DVgiVy25

By opening the word document the victim displays the following text (Figure 1). The document tempts the victim in enabling the macro functionality in order to encode the document with readable charsets by translating the current encoding to the local readable one.

Figure 1: Word Document Content

A transparent word shape placed on top of the encoded text avoids the victim to interact with the unreadable text. That document holds two VBA-Macro functions which were identified as a romantic “AutoOpen” and a named “HeadrFooterProperty”. Interesting to note that that document has no evidence on VT, so it could be a revamped threat or a totally new one!

The two Macros decoded a Javascript payload acting as a drop and execute by using a well-known strategy as described in: “Frequent VBA Macros used in Office Malware”. The following image (Figure 2) shows the decoding process. A first round of obfuscation technique was adopted by the attacker in order to make harder and harder the decoding process. That stage implements an obfuscated Javascript embedded code which decodes, by using a XOR with key=11, a third stage written again in Javascript acting as drop and execute on 66.133.129.5. That IP is assigned to Frontier Communications Solutions a NY based company.

Figure 2: Deobfuscation Steps from obfuscated VBA to Clear “evaled” javascript

It was nice to read the obfuscated code since the variable names where actually thematically chosen per function. For example the theseus function is obfuscated with “divine terms”, one of our favorites were actually the following conditional branch: If pastorale / quetzalcoatl < 57 Then, which actually was always true ! (quetzalcoatl is “feathered serpent” a aztech god, while pastorale is an evocative composition often used for cite or pray to gods). Another fun fact was in the variable the attacker attribute to the string “JavaScript”: emotionless. In particular the attacker refers to JavaScript through the object “emotionless.Language”. Funny isn’t it ?

The final javascript downloader aims to drop a file from “http://66[.133[.129[.5/~chuckgilbert/09u8h76f/65fg67n” placing it into the system temporary directory and naming it “nanagrams.exe”. Finally it runs that windows PE file on the victim machine.

During the analysis time the dropping URL was not working indeed on the above URL. Only a “surprise.php” page was found. Actually, a misconfiguration of the dropping website allowed us to visualize its source code. As shown in the following image (Figure 3) the page tracks the visitors through an iframe pointing to: “http[://tehnofaq[.work” and through a random loop redirects the downloader script to a different dropping url.

Figure 3: Redirecting script

Building a redirectors or proxy chains is quite useful to attackers in order to evade Intrusion Prevention Systems and/or protections infrastructures based upon IPs or DNS blocks. In such a case the redirection script pushes to one of the following domains by introducing the HTML meta “refresh” tag pointing the browser url to a random choice between 4 different entries belonging to the following two domains:

  • http[://com-kl96.net
  • http[://com-mk84.net

Possible Link with TA-505

The used infrastructure, by analyzing dropping urls, looks like an old infrastructure used for propagating Ransomware. Indeed it’s possible to observe many analogies with the following dropping urls belonging to a previously utilized Ransomware threat:

  • http[://66.133.129.5/~kvas/
  • http[://66.133.129.5/~nsmarc1166/
  • http[://frontiernet.net/~jherbaugh/

The infrastructure used in the attacks suggests the involvement of the cybercrime group TA505.  The TA505 group, that is known to have operated both the Dridex and Locky malware families, continues to make small changes to its operations. TA505 hacking group has been active since 2014 focusing on Retail and banking sectors.

Recently security experts at Proofpoint observed the notorious TA505 cybercrime group that has been using a new RAT dubbed SDBbot, it is a backdoor that is delivered via a new downloader dubbed Get2 that was written in C++. The dropper was also used to distribute other payloads, including FlawedGrace, FlawedAmmyy, and Snatch.

We noticed that the URLs used in the attack they detected have the same pattern associated with the notorious crime gang, the researchers also pointed out that the IP addresses (i.e. 66.133.129.5) observed in the attacks were involved in previous campaigns delivering Locky and Dridex malware.

Let’s consider for example the domain frontiernet[.]net that was involved in a Dridex campaign back to 2015.

In May, we observed a spike in attacks against the banking sector and spotted a new email stealer used by the TA505 hacker group. Also, colleagues at CERT Yoroi noticed a suspicious attack against an Italian organization that allowed them to investigate the threat actors and link them to a potential expansion of the TA505 operations

In August, Trend Micro revealed that the TA505 group continue to make small changes to its operations, the group is expanding the list of countries and entities targeted with its malware and it is modifying techniques to deploy malicious code.

Unfortunately, we were not able to analyse the final payload of the attack chain that was no longer available at the time of the analysis. The analysis of the final stage malware is essential to attempt to attribute the attack to a specific threat actor. Evidence and artifacts collected in this analysis suggest two possible scenarios:

  • TA505 group is expanding his operations, but it still controlling an infrastructure involved in previous attacks across the years. The threat actors still leverage this infrastructure for “hit and run” operations or to test new attacks technique and tools avoiding to expose their actual infrastructure. Both options are interesting, but only the knowledge of the final stage malware could give us a wider view on the current operations of the group.
  • Another threat actor, likely financially motivated, is leveraging the same infrastructure used by TA505 and used it to make it harder the analysis and the attribution of the attacks.

Conclusion

An interesting Maldoc acting as drop-and-execute was identified by our CSDC technology. From the described analysis we identified the attacker is using an old infrastructure exploiting some old websites behind 66.133.129.5 as a dropping websites. 

During the analysis time the attack was still incomplete and the attacker didn’t weaponize the dropping websites yet, but the spread document is able to grab content from specific urls and to run it on the victim machine. 

The used strings for obfuscating the dropper were actually fun and “thematic”. For example strings like “madrillus”, “vulcano”, “pastorale”, “quetzalcoatl” remind an ancient and central culture (mandrillus, vulcano and quetzalcoatl) while objects like “emotionless” assigned to a specific programming language reminds a witty attacker.

Indicator of Compromise

Hash: 

  • 7ebd1d6fa8c21b0d0c015475ab8c7225f949c13a33d0a39b8c069072a4281392

URL:

  • http://66[.133[.129[.5/~chuckgilbert/09u8h76f/65fg67n
  • http[://tehnofaq[.work
  • http[://com-kl96.net/new.php?a=269321&c=wl_con&s=702w’
  • http[://com-mk84.net/new.php?a=269321&c=wl_con&s=702w’
  • http[://com-kl96.net/new.php?a=269321&c=job&s=702j’
  • http[://com-mk84.net/new.php?a=269321&c=job&s=702j’

This blog post was authored by Marco Ramilli of Cybaze-Yoroi Z-LAB

Article Link: https://blog.yoroi.company/research/the-new-ta-505-shadow-on-italian-precision-industry/