Cybersecurity researchers have revealed details about a previously unknown software control panel used by TA505, a financially motivated threat group.
"The group frequently changes its malware attack strategies in response to global cybercrime trends," Swiss cybersecurity firm PRODAFT said in a report shared with The Hacker News. "It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on."
TA505, also known as Evil Corp, Gold Drake, Dudear, Indrik Spider, and SectorJ04, is an aggressive Russian cybercrime syndicate that is responsible for the infamous Dridex banking trojan and has been connected to a number of ransomware campaigns in recent years.
It's also linked to the Raspberry Robin attacks, which first surfaced in September 2021, with similarities discovered between the malware and Dridex.
Other malware families linked with the group include FlawedAmmyy, the Neutrino botnet, and ServHelper, a backdoor capable of downloading FlawedGrace, a remote access trojan.
The adversary is said to use the TeslaGun control panel to manage the ServHelper implant, acting as a command-and-control (C2) framework to commandeer the compromised machines. Furthermore, the panel allows attackers to issue commands and send a single command to all victim devices in go or configure the panel so that a predefined command is automatically executed when a new victim is added to the panel.
Aside from the panel, threat actors have been observed using a remote desktop protocol (RDP) tool to connect to the targeted systems via RDP tunnels.
"The TeslaGun panel has a pragmatic, minimalist design. The main dashboard only contains infected victim data, a generic comment section for each victim, and several options for filtering victim records," the researchers said.
According to PRODAFT's analysis of TeslaGun victim data, the group's phishing and targeted campaigns have reached at least 8,160 people July 2020. A majority of those victims are located in the U.S. (3,667), followed by Russia (647), Brazil (483), Romania (444), and the U.K. (359).
"It is clear that TA505 is actively looking for online banking or retail users, including crypto-wallets and e-commerce accounts," the researchers noted, citing comments made by the adversarial group in the TeslaGun panel.
The findings also arrive as the US Department of Health and Human Services (HHS) issued a warning about the group's significant threats to the health sector, including data exfiltration attacks aimed at stealing intellectual property and ransomware operations.
The agency's Health Sector Cybersecurity Coordination Center (HC3) said in an advisory published late last month, "Evil Corp has a wide set of highly-capable tools at their disposal. These are developed and maintained in-house, but are often used in conjunction with commodity malware, living-off-the-land techniques and common security tools that were designed for legitimate and lawful security assessments."