Rewterz Threat Alert – APT Group- TA505 Latest IOCs

Severity

High

Analysis Summary

TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware. In the group’s latest campaign, the group is targeting financial institution employees via phishing email luring them to download malicious attachments. In the email is the malware Get2 Downloader which is (aka FRIENDSPEAK; GetAndGo). After successfully installing the malware, it connects to command and control (C2) server and download the SDBot Remote Access Trojan (RAT) and harvest financial data. Data exfiltration is the major goal of this campaign and is currently active and targeting users in different organizations.

Impact

• Data exfiltration
• Exposure of sensitive data

Indicators of Compromise

Filename

• Invoice [0-9]{5} – Due Date _ 12 June
• 2020 – Client ID [0-9]{7}[.]html
• PD_304 41237[.]xls
• libOmio[.]dll
• [0-9]{8}_Agreement[.]xls
• libOmio[.]dll
• Certificate[.]html
• Certificate_9507[.]xls

From Email

• admin@gllc[.]vn
• aecs4@aeg[.]com[.]hk
• andrea@locksafe[.]eu
• anna@infowest[.]com
• calidad@laredo[.]globalpc[.]net
• chitose@din[.]or[.]jp
• cristian[.]dabija@econ[.]ubbcluj[.]ro
• daisei[.]itoh@moltec[.]co[.]jp
• dybrown@kimbanet[.]com
• dylan@emmettlam[.]com
• e[.]garelli@atc[.]torino[.]it
• ebrown@freestylefund[.]com
• elfi@jandrisits[.]at
• encuestas@lamercedpilar[.]com
• envisep@acimgroup[.]it
• grigoryanc@prima-group[.]kz
• haipm@scsc[.]vn
• home@filingworld[.]com
• info@de-online-marketing[.]de
• info@seikatu-k[.]co[.]jp
• janeinarvestersjo@vabb[.]no
• jmacias@gpobuenaventura[.]com[.]mx
• kiara@legalshieldassociate[.]com
• leigh[.]h@hallfn[.]com[.]au
• libing@dlcs100[.]com
• mcgee@legalshieldassociate[.]com
• mirella@intuition[.]it
• plumbs@cloudburst9[.]net
• postmaster@supremespine[.]com
• pruocco@comune[.]follonica[.]gr[.]it
• rajender@kaninsure[.]com
• sem@sadna[.]co[.]il
• spam@rnbconsultants[.]com
• william@holein1[.]ie

MD5

• de515ae373ce70f38a354c38eb566ad1
• 5a9caa83d88b6ddd7797ffb5f4627f2a
• 83b02e12a48b092f91788d7c253dd1c2
• b24573232df8a4bc23094f8f8fc7f6aa
• e11fa4e6761d28716cab9390810d9bf1
• b41294d15b96ba28a826711a6bfacea6
• 39645282244265d9499f025737198d97
• a8653b87fa1d4f73da86fd962e9c4b95
• e11fa4e6761d28716cab9390810d9bf1

SHA-256

• 17d515558faae741a3d0f9ced348e61a39eda6f62e153eb78e44e3ac3a0515b9
• cfc8fcfbd2f8f4938a2bdd0a0763abfcec3a340f7769f84607b7441bb8f0fdf1
• e35b9feacfba1df802f9ed242775361f4317c22782f4e9e2dddd095577a72487
• 4e29416f27ab332ba6f9d40f50bc0ad257f9f495c34a9c190d9041620045bda7
• 5f39db475fb85cf4a5dce2919fedf61a8e20d0e090cc96743ef128eb17039583
• e18a16a1bf86180d29e95df285b90bf88fab87f6244e836bd8510515daa0be90
• dee470720cce3358400e99197cb1f6443966de78559d2cc8825c098561d0c278
• acd7214a4c37bbfd55ea244080769e4c0daf59edb47b3abcddcf5874cdb3054f
• 5f39db475fb85cf4a5dce2919fedf61a8e20d0e090cc96743ef128eb17039583

SHA1

• 779f23b8a99888e9e6c0729bd291c4b666a5f1c2
• 5aaba4ab168d59884143b45681cdb2682b2c39c6
• acf4e3c3fd1772c7d4ebec32b38d018cce4e9707
• f3cb1e5a4e6a1a28150e9d9bf1f59b7614ec689a
• e1f24b156e83a575b5f134b082a3a22907405bf6
• 704b7822d8729b6c431a1b84dbe77976312ffaf6
• 073b432c6e4a1a2f300c48e65f5fbf1429151be2
• b17b32b567f1a600338f61b27f316f893aad195d
• e1f24b156e83a575b5f134b082a3a22907405bf6

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your existing environment.