Cybersecurity researchers have offered insight into a previously undocumented software control panel used by a financially motivated threat group known as TA505.
“The group frequently changes its malware attack strategies in response to global cybercrime trends,” said Swiss cybersecurity firm PRODAFT. said in a report shared with The Hacker News. “It opportunistically adopts new technologies in order to leverage victims before the wider cybersecurity industry spreads.”
Also tracked as Evil Corp, Gold Drake, Dudear, Indrik Spider and SectorJ04, TA505 is an aggressive Russian Cybercrime Syndicate behind the infamous Dridex banking trojan and which has been linked to a number of ransomware campaigns in recent years.
– Advertising –
It is also said to be linked to the Raspberry Robin attacks that emerged in September 2021, with similarities found between the malware and Dridex.
Other notable malware families associated with the group include DefaultAmmyy, neutrino botnetand a backdoor codenamed ServHelpera variant of which is capable of downloading a remote access trojan called FlawedGrace.
The control panel, called TeslaGun, would be used by the adversary to manage the ServHelper implant, functioning as a command and control (C2) framework to commandeer compromised machinery.
Additionally, the panel provides the ability for attackers to issue commands, not to mention send a single command to all current victim devices or configure the panel so that a predefined command is automatically executed when a new victim is added to the panel.
“The TeslaGun panel has a pragmatic and minimalist design. The main dashboard only contains data from infected victims, a generic comments section for each victim, and several options to filter victim records,” the researchers said.
In addition to using the Panel, threat actors have also been known to use a Remote Desktop Protocol (RDP) tool to manually connect to targeted systems via RDP tunnels.
PRODAFT’s analysis of data on TeslaGun victims shows that the group’s phishing and targeted campaigns have hit at least 8,160 targets since July 2020. A majority of these victims are in the United States (3,667), tracked from Russia (647), Brazil (483), Romania (444) and the United Kingdom (359).
“It is clear that TA505 is actively seeking users of online banking or retail, including crypto wallets and e-commerce accounts,” the researchers noted, citing comments from the TeslaGun panel adversarial group.
The findings also come as the US Department of Health and Human Services (HHS) warned of significant threats posed by the group to the healthcare industry through data exfiltration attacks that aim to steal property. intellectual and ransomware operations.
“Evil Corp has a wide array of high-performance tools,” the agency’s Healthcare Cybersecurity Coordination Center (HC3) said. said in a notice published late last month.
“These are developed and maintained in-house, but are often used in conjunction with commodity malware, off-the-ground life techniques and common security tools that have been designed for legitimate and legal security assessments. ”
We would like to say thanks to the writer of this post for this remarkable material
TA505 Hackers Use TeslaGun Panel to Manage ServHelper Backdoor Attacks TechRadar
We have our social media pages here and other pages related to them here.https://metfabtech.com/related-pages/