Researchers have detailed the software control panel used by the well-known TA505 financial threat group in order to manage its ServHelper malware.
TA505 has targeted the financial sector since 2014 with mass phishing attacks, mainly relying on tools like the Dridex banking trojan and Locky ransomware. As of 2019, the attackers started leveraging a backdoor called ServHelper in order to hijack victim accounts and deploy a number of follow-up commands, including logging keystrokes and stealing sensitive data. Researchers with the Prodaft Threat Intelligence (PTI) team said that further details about the command and control structure behind ServHelper, called TeslaGun (a name that appears at the top of the control panels), will help give security professionals a better understanding into how the group works and its malware distribution tactics.
“It is obviously seen that TA505 is actively searching for online banking and shopping accounts, particularly from victims in the United States, but also from Russia, Romania, Brazil, and the UK,” according to Prodaft researchers in a Tuesday report. “The threat group will also attack victims outside of its primary scope, tagging RDP connections for eventual resale to other cybercriminals. Ultimately, anyone could be a TA505 victim.”
Some aspects of the panel point to a “surprisingly disorganized” internal structure. TeslaGun panels do not provide individual victim detail pages, for instance, and instead show victim data in a series of columns. The pages are also not exclusively organized by campaign or version, making them harder to sift through, said researchers. At the same time, however, the control panel demonstrates TA505’s sophistication in how it distributes its attacks, showing how the threat group is “highly proactive” in updating its malware and has the ability to run multiple malware campaigns at the same time.
The panel, which provides attackers with a dashboard for viewing victim data and options for filtering these records, also has functionalities enabling attackers to send one command to multiple victims in one swoop or for configuring a default command that runs when new victim devices are added to the panel. A detailed look at the TeslaGun panel revealed that TA505 is actively hunting out online banking and shopping accounts, including crypto wallets and e-commerce accounts, with the U.S. having the most victims recorded at 3,557 out of the 8,160 targets found on the control panel (as of July 2020).
The control panel lists IPs and countries/states/cities for victims, and information like the first and last time connected and commands for ServHelper (these commands have previously been documented by Cisco Talos researchers). The control panel also notes if victims have a slow connection, which might mean attackers would lose the ability to communicate effectively with ServHelper. The attackers also tagged RDP connections, which researchers have previously noted - however, the control panel revealed that attackers use these connections not only to interact directly with victim devices, but also to leverage for eventual resale to other cybercriminals. This is important because it shows how well-embedded TA505 is in the international cybercrime community, said researchers.
“The panel’s filtering options offer a great deal of information about TA505’s workflow and commercial strategy,” said researchers. “Sell and Sell 2 groups were set for some victims. These victims’ RDP connections were temporarily disabled through the panel.”
For businesses, researchers said that proactive detection strategies “are critical for overcoming fast-moving threats like TA505 backdoor attack campaigns.”
“Broadly defined prevention-based security may help mitigate some of the most obvious threats, but the reality of today’s mature, organized cybercrime industry requires a new strategy,” said researchers. “Business leaders and cybersecurity decision-makers must actively search for new cybercrime trends and implement solutions for patching new vulnerabilities in their networks.”