Pierluigi Paganini October 20, 2019

TA505 cybercrime group that operated the Dridex Trojan and Locky ransomware, has been using a new RAT dubbed SDBbot in recent attacks.

Security experts at Proofpoint observed the notorious TA505 cybercrime group that has been using a new RAT dubbed SDBbot in recent attacks.

The TA505 group, that is known to have operated both the Dridex and Locky malware families, continues to make small changes to its operations. TA505 hacking group has been active since 2014 focusing on Retail and banking sectors.

SDBbot is a backdoor that is delivered via a new downloader dubbed Get2 that was written in C++. The dropper was also used to distribute other payloads, including FlawedGrace, FlawedAmmyy, and Snatch.

The new downloader Get2 was first observed in early September when the groups used it in targeted attacks against financial institutions in Greece, Singapore, United Arab Emirates, Georgia, Sweden, Lithuania, and a few other countries.

On September 20, new phishing attacks involved thousands of emails, with English and French lures, attempting to deliver Microsoft Excel and .ISO attachments to targets in the United States and Canada.

The TA505 group started delivering SDBbot in early October, it used weaponized Microsoft Office documents leveraging the Get2 downloader.

“On October 7, instead of directly attached malicious Microsoft Excel files, Proofpoint researchers observed thousands of emails containing URL shortener links redirecting to a landing page that in turn links to an Excel sheet “request[.]xls”. This campaign only used the English language and targeted companies from various industries primarily in the United States.” reads the analysis published by Proofpoint.

“SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence.“

The attackers switched from attachments to shortened URLs that point to a malicious Excel sheet, the attacks mainly targeted organizations in the United States.

Experts discovered that the Get2 downloader also implements information-gathering capabilities. It collects basic system information and sends it back to an hardcoded C&C via an HTTP POST request.

The SDBbot RAT has three main components, an installer, a loader, and a backdoor component.

The installer is used to store the RAT in the registry and establish persistence for the loader, while if the bot is running with admin privileges on a Windows version newer than Windows 7, persistence is established using the registry “image file execution options” method. If the bot is running as admin on Windows XP or 7, persistence is established using application shimming

“All three of the persistence mechanisms require a reboot to take effect and there is no additional code to continue executing the loader and RAT components from the installer. Proofpoint researchers speculate that the reboot functionality in the Get2 downloader (described above) is used to continue SDBbot’s execution after installation in the TA505 campaigns.” continues the analysis.

The loader is used to execute the loader shellcode from the binary blob that is stored in the registry that decompresses the RAT and loads and executes a DLL.

The RAT component supports typical RAT functionalities, including command shell, video recording of the screen, remote desktop, port forwarding, and file system access.

“The new Get2 downloader, when combined with the SDBbot as its payload appears to be TA505’s latest trick (or treat) for the Fall of 2019,” Proofpoint concludes.

Pierluigi Paganini

(SecurityAffairs – SDBbot RAT, TA505)

[adrotate banner=”5″]

[adrotate banner=”13″]