Outpost24’s Blueliv Labs has announced it has found the infamous TA505 threat actor has resurfaced with a new dangerous RAT variant – named GraceWrapper by Outpost24’s threat researchers.
TA505 is a financially motivated threat actor group believed to have been operating for almost a decade. In more recent years, it is believed that the group is responsible for operating the Clop ransomware after compromising corporate networks by using a variety of remote administration malware such as SDBbot, FlawedAmmy and FlawedGrace, which were downloaded via Get2, Gelup or Mirrorblast. Over time, the group have become more sophisticated by adopting a diverse set of tactics, techniques and procedures (TTPs).
Outpost24’s Blueliv Labs put together the findings from retroactive analysis of the Mirrorblast spam campaign, the last known spam operation attributed to TA505.
Within the convoluted sequence of malware pieces involved in the attack, one is believed to be an updated version of the FlawedGrace RAT, due to the evident relations in its code and behaviour similarities.
The deep dive has proven that TA505 has not wavered in its mission to improve its intrusion techniques, protect and hide its tools and avoid the watchful eye of analysts and automated detection solutions alike. In doing so, the group has positioned itself as a strong enabler for post-exploitation tasks and a viable threat to modern businesses.
To better understand the latest member of the Grace family, Outpost24 re-analysed the structure and technicality of the group’s MirrorBlast campaign as our researchers studied the anti-analysis techniques (sleep function), obfuscation tactics, injection mechanisms, sleep functions and other surprisingly advanced functions present in the new component. We then began to identify how TA505 was able to use its new downloaders to bypass detection systems and disguise the attribution of its attacks.
“Our deep dive has proven that TA505 has not wavered in its mission to improve its intrusion techniques, protect and hide its tools and avoid the watchful eye of analysts and automated detection solutions alike. In doing so, the group has positioned itself as a strong enabler for post-exploitation tasks and a viable threat to modern businesses.”
To view the full research piece, click here
