The TA505 cybercrime group has ramped up its attacks lately, with a set of campaigns bent on spreading the persistent SDBbot remote-access trojan (RAT) laterally throughout an entire corporate environment. SDBbot RAT is a custom job that has been observed in TA505 attacks since at least September 2019; it offers remote-access capabilities and has a few spyware aspects, including the ability to exfiltrate data from the victimized devices and networks.The custom RAT also offers persistent access and lateral network movement.
Recently, targeted emails were sent to enterprise employees in Europe. The malicious emails purported to be messages coming from the HR department via Onehub, which is a legitimate, cloud-based file-sharing application for businesses. The messages had attached, macro-enabled documents called simply “Resume.doc.” And if opened, they ultimately delivered the SDBbot malware, via a dropper containing embedded dynamic-link libraries (DLLs) and the use of an installer component. The emails were designed to extract Active Directory (AD) discovery data and user credentials, and to infect the environment with the SDBbot RAT. Once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The three additional files make up SDBbot; there’s an installer, a loader and the payload itself. A Meterpreter reverser shell was used in order to remotely control compromised systems within the internal network. It was installed as a service using the execution of an encoded PowerShell script. The malicious PowerShell command decodes into a reverse shell connecting back to two malicious IP addresses. Analysts expect that this group will continue to target a wide range of industries using social engineering to deliver open-source and custom malware, while constantly adjusting TTPs and C2 infrastructure to evade detection.