Pulse Detail — Threat Intelligence

PULSE NAME

Breaking Down TA505 Groups Use of HTML and RATs

WHITE TA505 AlienVault 2019-06-12 Modified: 2019-06-12

222

IOCs

HIGH VOLUME

TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware. We have been following TA505 closely and detected various related activities for the past two months. In the group’s latest campaign, they started using HTML attachments to deliver malicious .XLS files that lead to downloader and backdoor FlawedAmmyy, mostly to target users in South Korea.

Indicators of Compromise (11 / 222 total)

All FileHash-SHA256 domain URL

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	angelmariotti.xyz	—	2019-06-12
domain	houusha33.icu	—	2019-06-12
domain	tommyhalfigero.top	—	2019-06-12
domain	govhotel.us	—	2019-06-12
domain	lecmess.top	—	2019-06-12
domain	topdalescotty.top	—	2019-06-12
domain	vairina.top	—	2019-06-12
domain	statesdr.top	—	2019-06-12
domain	dannysannyer.top	—	2019-06-12
domain	fjiisiis33.icu	—	2019-06-12
domain	billyjimmyer.top	—	2019-06-12

References (1)

↗ https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/