Positive Technologies: TA505 rising to become world's most dangerous cybercriminal group

With attacks on dozens of targets in 64 countries in a six-month period, TA505 now threatens more than just financial companies

The Positive Technologies Expert Security Center has detected a spike in activity by the TA505 cybercriminal group. In the last six months, TA505 has ramped up its attacks to target 26 companies (cases for which specific confirmation is available). Positive Technologies has detected activity by the group in 64 countries. In addition, TA505 has increased its resources and incorporated more sophisticated tactics, techniques, and procedures (TTPs) for greater stealth. Targets include major companies in finance, industry, and transportation, as well as government. Dozens of countries have been affected, among them the United Kingdom, Canada, U.S., and South Korea.

The group uses phishing emails to penetrate the networks of its victims. Each new wave of attacks reflects qualitative changes in the group's toolkit. New FlawedAmmyy loaders introduced in June 2019 differ significantly from previous versions. Researchers at Positive Technologies studied the unpacking algorithm used by this malware. This work enables better attribution of the group's activities and detection of its tools, even when new functions are added to them. The main part of the unpacker is preceded by a large number of junk instructions—a frequent trick of malware authors to confuse the emulators used in antivirus products.

TA505 is one of only a few long-lived active cybercriminal groups. Since 2014, their arsenal has included the Dridex banking Trojan, Neutrino botnet, and ransomware such as Locky, Jaff, and GlobeImposter. The group has used the FlawedAmmyy remote access tool since 2018 and, since late last year, the new ServHelper backdoor as well.

Alexey Novikov, Director of the Positive Technologies Expert Security Center, said: "Usually, the group attacks where they think they can steal money. But recently they have started eyeing intellectual property that can be monetized. This explains the new industries in their sights. Looking at all the indicators together—frequency of attacks, geographic range, diversity of targets, sophistication of TTPs—we can say that TA505 is the most dangerous cybercriminal group seen in the last six months. Also we know that they use the same network infrastructure as Buhtrap. So we can assume that they work together or have the same coordinator."

Besides finance and government, targets of TA505 in 2019 have included research institutes and companies in energy, aviation, healthcare, and other sectors.

Detecting such threats requires a defense-in-depth approach attuned to the processes occurring inside infrastructure, as opposed to merely reinforcing the perimeter. Components of this approach include deep traffic analysis, retrospective analysis of security events, user behavior profiling, and retaining skilled incident investigation specialists. These measures dramatically reduce dwell time of attackers on infrastructure and enable disrupting the kill chain at the early stages.