According to Trend Micro researchers, the TA505 hacker group is spreading new malware called Gelup and FlowerPippi through spam campaigns, which are used to target entities from the Middle East, Japan, India, the Philippines, and Argentina.
Proofpoint researchers also found that in June of this year, two spam campaigns were spreading a malware download program called AndroMut, targeting recipients from the US, Singapore, UAE, and South Korea. The TA505 hacker organization has launched the Dridex Bank Trojan and the ransomware attack called Locky.
The TA505 hacker organization uses spam containing .DOC and .XLS documents to spread its new malware. After the victim opens the malicious attachment, the payload is deployed on the attacked machine by executing the VBA macro command. According to Trend Micro, a small spam sample also used a malicious URL, resulting in a remote access Trojan (RAT) download called FlawedAmmyy.
The most interesting feature of the newly discovered malware Gelup downloader is that it uses obfuscation and UAC bypass technology, which is “mocking trusted directories (spoofing the file’s execution path in a trusted directory), abusing auto-elevated executables, and using the dynamic-link library (DLL) side-loading technique.”
Malware Gelup developers use a variety of techniques designed to block static and dynamic analysis and to make the infection process more difficult to track by deploying multiple steps. In order to make the attack time longer, the malware Gelup can run the task of starting LNK file creation in the system recycle bin, or add a registry run item, depending on user permissions.
FlowerPippi is the second malware recently deployed by the hacker organization TA505. In addition to the backdoor feature, it also has downloading skills that enable it to release more malicious payloads to infected systems in the form of executable binaries or DLL files. Trend Micro further stated that the backdoor is used to collect and filter information from the victim’s computer and to run any commands received from the command control (C2) server.
The attack by the hacker organization TA505 continues. In addition to the activities observed and recorded by researchers at Proofpoint and Trend Micro, Microsoft Security Intelligence issued a security warning about two weeks ago, saying an active spam campaign tried to spread FlawedAmmyy remotely through malicious XLS attachments.