Contact Contact Us

TA505 Group Targets Financial Institutions Worldwide FINANCE INDUSTRY

Russian cybercriminal group TA505 is spreading remote access trojans (RAT) against financial entities worldwide, especially the US since December 2018. The threat group uses phishing emails and social engineering to enable the download of a legitimate administrator tool known as Remote Manipulator System (RMS). As most security solutions will not deem RMS as malicious, the tool is able to act as a backdoor for downloading second-stage payloads from its Command and Control (C&C) server. These additional tools allow the threat group to steal credentials and move laterally across the organisation’s network. In previous campaigns, TA505 deployed customised backdoors such as tRAT and ServHelper for installing trojans such as Dridex and ransomware like Locky, Philadelphia and GlobeImposter.

References:
[1] Legit Remote Admin Tools Turn into Threat Actors' Tools (PDF)

Ensign InfoSecurity Singapore
30A Kallang Place
#08-01
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883