Russian cybercriminal group uses legitimate tools to attack German companies

In a hacking campaign against German-related companies, the criminal organization TA505 associated with Russia used some legitimate tools in addition to using malicious software.

In fact, a few weeks ago, Prevailion’s security researchers discovered a fake email attack against German companies launched by TA505, but the attack appeared to start in June 2019 and it took a long time to be studied. According to research, these emails have malicious attachments designed to steal users’ security credentials and credit card data.

It is reported that the TA505 hacker group is also known as Evil Corp. It is famous for using the Dridex Trojan virus and Locky ransomware, but it has also used many other malware family products, including BackNet, Cobalt Strike, ServHelper, Bart ransomware, FlamedAmmyy, SDBbot RAT, and DoppelPaymer ransomware, and more.

ICS Attack Framework “TRITON”

Researchers analyzed these attacks and found that the TA505 organization used a trojanized version of a curriculum vitae to launch an attack on the human resources department of a German company. At the same time, they observed that the email of the attack was created through vodafonemail.de.

In the initial phase of the attack, a hacker can run the script through the code in the CV file to obtain the payload and install a program on the victim’s computer to add a valid fingerprint to the computer name and domain. The script then attempts to collect data from the browser and mail application and save the credentials. It is reported that the stolen credentials will be archived and sent to a server controlled by the attacker, and then a scheduled task will be created to be used as a beacon. Finally, the BAT file will remove all traces of the intrusion.