TA505 Spear Phishing Campaign Uses LOLBins to Avoid Detection

[silversurfer]

The TA505 hacking group ran a spear phishing campaign targeting a financial institution during April with the help of a signed version of the ServHelper backdoor and a number of LOLBins designed to help the operation evade detection.

TA505 is a threat group known to have been active since at least Q3 2014 [1, 2] and to have attacked a multiple financial institutions and retail companies using large sized malicious spam campaigns driven with the help of the Necurs botnet and dropping the Dridex and Trick banking Trojans, as well as the Locky and Jaff ransomware strains on their targets computers. [1, 2, 3]
 
During November 2018, TA505 started distributing new malicious tools as discovered by Proofpoint, the ServHelper backdoor and the FlawedGrace remote access Trojan (RAT) as part of multiple malware campaigns focused on banks, retail businesses, and restaurants.

LOLBins are deceptive because their execution seems benign at first, or even sometimes safe. In addition, the use of a signed and verified file with certification increases the likelihood that the malware will stay under the radar.

SOURCE: https://www.bleepingcomputer.com/news/se...detection/