A threat actor known as TA505 recently launched a phishing campaign that uses living-of-the-land binaries (LOLBins) to distribute a new backdoor malware

February 27, 2020
ta505 phishing campaign malware antimalware financial organizations

Threat Summary

Malicious actor TA505 known for these notorious campaigns namely info stealer malware Dridex, the Locky ransomware, and more. Another attack carried out by the same group on multiple continents, including North America, Asia, Africa, and South America. Primarily focusing on large financial organizations, this group at the same time perform well-planned, advanced attacks in order to extract valuable data it can later leverage. This latest attack aimed to more than 40 email accounts within the same organization, relied on attack emails that came with Microsoft Excel attachments containing malicious macros.


Campaign analysis

Initial TA505 phishing attack focused on several accounts in a specific financial institution at a single time and date. This organization was explicitly targeted with a small number of emails to a very small number of accounts within the company. This hints at the possibility of reconnaissance done at an earlier stage of the operation in order to select the best targets.

  1. first-stage payload attack emails that came with Microsoft Excel attachments containing malicious macros. When enabled, those macros invoked the Windows OS process msiexec.exe to connect to a command-and-control (C&C) server and download the campaigns.
  2. Second stage of the attack, the dropper used a NIS script for Nullsoft Scriptable Install System (NSIS), a legitimate tool used for creating Windows installers. This NSIS script functioned as a LOLBin, allowing the campaign to evade detection and, in the process, execute a file called pegas.dll.


Characteristics of TA505’s Operation

  • Highly targeted phishing campaign to a small number of specific accounts within the company.
  • Signed and verified malicious code. This is to prevent foot printing and camouflaging.
  • A calculated timeline indicated by staging phishing attack and signing of the malicious code.
  • A selective persistence mechanism and self-destruct commands based on autonomous reconnaissance.
  • Large emphasis on removal of evidence using self-destruct commands and deleting scripts.
  • Multiple C2 domains, in the event of blacklisting or inability to connect for another reason.
  • The operation integrates four different LOLBins, which indicates the attackers continued, advanced attempts to avoid detection.



Obscurity of this campaign is how it eludes detection. Even for security professionals are aware of the complications in ensuring a secure system. LOLBins are misleading because their execution structure seems benign at first, or even sometimes safe. In addition, the use of a signed and verified file with certification increases the probability that the malware will stay under exposure.


About the author

Leave a Reply