A threat group known for deploying the Clop ransomware and Dridex trojan is now using a unique remote administration tool that can communicate directly with other compromised hosts via a peer-to-peer network.
Researchers at NCC Group have been tracking the activity from a group known as TA505 for several months and they’ve discovered at least three distinct networks of infected machines. The RAT that the group is deploying bears some resemblance to other tools that TA505 uses, such as a similar programming style to a tool known as Grace that the group has deployed for several years.
TA505 is a venerable group and, like many other cybercrime groups, it has shifted tactics many times over the years in order to keep ahead of defenders and maximize profits. The group started out as a typical cybercrime crew, performing network intrusions to facilitate fraudulent bank transfers to accounts they controlled. TA505 also took advantage of a close association with EvilCorp, a notorious cybercrime group that is best known for its use of the Dridex banking trojan. The TA505 actors used Dridex as well, but eventually moved on.
“However in 2017 TA505 went on their own path and specifically in 2018 executed a large number of attacks using the tool called ‘Grace’, also known publicly as ‘FlawedGrace’ and ‘GraceWire’. The victims were mostly financial institutions and a large number of the victims were located in Africa, South Asia, and South East Asia with confirmed fraudulent wire transactions and card data theft originating from victims of TA505,” a report by Nikolaos Pantazopoulos and Michael Sandee of NCC Group says.
“After the initialisation phase has been completed, the sample starts sending UDP requests to a list of IPs in order to register itself."
“The tool ‘Grace’ had some interesting features, and showed some indications that it was originally designed as banking malware which had later been repurposed. However, the tool was developed and was used in hundreds of victims worldwide, while remaining relatively unknown to the wider public in its first years of use.”
The new RAT that NCC Group discovered is relatively simple and includes three individual components: a loader, a signed driver, and a tool that performs the communication with other nodes on the network. Once the downloader is on a new machine, it checks the operating system version and then contacts the remote command-and-control server and downloads several other files, including the P2P binary itself, some drivers, and lists of processes, drivers, services, registry keys, and files to filter.
The signed driver that the downloader installs performs most of the other pertinent actions, such as decrypting shellcode, copying it, and then running the payload. The P2P functionality in the RAT uses the UDP protocol for communication.
“After the initialisation phase has been completed, the sample starts sending UDP requests to a list of IPs in order to register itself into the network and then exchange information,” the researchers said.
NCC Group didn’t specify where the targets of the new RAT are, but TA505 has been known to target a wide range of organizations around the world in past operations.