TA505 is a cybercrime group that has been active since 2014, targeting Education and Financial institutions. In February 2020, Maastricht University, a public university in the Netherlands, reported that it was a victim of TA505’s massive ransomware attack using phishing emails. TA505 usually uses phishing emails to deliver malicious Excel files that drop payloads once they are opened. TA505’s phishing emails use attachments featuring an HTML redirector for delivering the malicious Excel files, according to research conducted by TrendMicro in July 2019. Recently, a new phishing email campaign using the same attack strategy was discovered by the Microsoft Security Intelligence team. In this blog post, we will take a look at the files used in the attack and explore how OPSWAT’s Deep Content Disarm and Reconstruction technology (Deep CDR™ Technology) can help prevent similar attacks.
Vectorii de atac
Fluxul de atac folosit este foarte comun.:
- Victimei i se trimite un e-mail de phishing cu un atașament HTML.
- Atunci când victima deschide fișierul HTML, va descărca automat un fișier Excel macro malițios.
- Acest fișier Excel aruncă o sarcină utilă malițioasă atunci când victima îl deschide
Fișierele HTML și Excel au fost examinate pe metadefender.opswat.com la începutul lunii februarie 2020.
Fișierul HTML a fost identificat ca fiind o pagină Cloudflare falsă cu un JavaScript relativ simplu pentru a redirecționa utilizatorii către o pagină de descărcare după 5 secunde.
Fișierul Excel conține mai multe macro-uri ofuscate.
Atunci când victima deschide fișierul și activează Macro, apare o interfață falsă Windows Process UI, care este, de fapt, un formular Visual Basic, ceea ce face victima să creadă că Excel configurează ceva.
În fundal, macroul rulează și lasă câteva fișiere pe sistemul victimei, cu următoarele căi de acces: C:\Users\user\AppData\Local\Temp\copy13.xlsx, C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\sample_.dll (RAT).
How can Deep CDR™ Technology protect you from the phishing attack?
If the HTML file is sanitized by Deep CDR™ Technology, all risk vectors will be removed, including Javascript. After the process, the user opens the sanitized file without the mentioned redirection. As a result, the malicious Excel file can’t be downloaded either.
Additionally, TA505’s phishing campaigns used to send the malicious Excel file as an email attachment to its victims directly. Again, Deep CDR™ Technology is effective in this case. It removes every Macros, OLE and also recursively sanitizes all images in the file.
Concluzie
It is witnessed that TA505 is very active with email phishing campaigns nowadays. Various sophisticated malware types have been used to increase the chances of getting into your system. Enterprises are advised to improve their employee phishing awareness training as well as their security system. MetaDefender Core leveraging 6 industry-leading cybersecurity technologies, in combination with MetaDefender Email Security, brings the most comprehensive protection to your organization. MetaDefender’s Multiscanning technology utilizes the power of more than 35 commercial AV engines to detect nearly 100% known malware, while Deep CDR™ Technology against zero-day attacks by unknown threats. Besides, as an essential PII protection layer, Proactive DLP prevents sensitive data in files and emails from entering or leaving your organization.
Programați o întâlnire cu un expert tehnic OPSWAT pentru a afla cum să vă protejați organizația împotriva amenințărilor cibernetice avansate.
Referință:
