Since our last research on TA505, we have observed new activity from the group that involves campaigns targeting different countries over the last few weeks. We found them targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia, as well as other countries such as India, Japan, Argentina, the Philippines, and South Korea.
This blog post covers the updates from TA505’s campaigns and indicators of compromise (IoCs), as well as the latest tactics, techniques, and procedures of these campaigns, particularly those observed in late June. We also analyzed a new malware tool named Gelup (detected by Trend Micro as Trojan.Win32.GELUP.A), which we saw the group use in one of the campaigns on June 20.
Gelup abuses user account control (UAC) bypass and works as a loader for other threats. The tool also uses the packer of FlawedAmmyy, a remote access trojan, from previous campaigns. TA505 is also using FlowerPippi (Backdoor.Win32.FLOWERPIPPI.A), a new backdoor that we found them using in their campaigns against targets in Japan, India, and Argentina. Our in-depth analysis of the Gelup malware and FlowerPippi backdoor, including their infection chains and C&C communication, is detailed in our technical brief.
Source: trend Micro