After months of inacy, the hacker group TAT505’s Get2 Loader suddenly resumed operations, which may indicate that the organization is ready for a new round of malicious activity.
On December 14, 2020, the Get2 loader re-emerged with new downloads and performed configuration parameters called “LD” and “ED”. Intel 471 last observed the loader on September 14, 2020.
The LD parameter loads the downloaded Dynamic Link Library (DLL) file reflectively into the address space of the current process and calls its entry point. The ED parameter copies the DLL into executable memory and calls the entry point directly. Pre-existing “RD” parameters .EXE the downloaded DLL into EXCEL can now also be used to .EXE WINWORD.
The reconfigured loader is designed to enable the team to perform its operations without attracting the attention of enterprise defenses. In the past, it has been used to download SDBbot, FlawedGrace and other malware.
TA505 is a Russian-speaking, prolifying, economically motivated organization known for launching large-scale targeted attacks. The team was recently found to be using weapons-carrying CVs to pursue German-speaking targets. The Intel 471 team also observed that it was hunting targets in Japan, South Korea and the United Arab Emirates in 2019. Once the group’s malware or behavior is discovered by researchers or the media, the team tends to remain silent to reconfigure its tools.
Drawing on past experience, Intel 471 believes that with the launch of the reconfigured Get2 Loader, new, undiscovered malware activity will follow.
Jason Passwaters, chief operating officer of Intel 471, said: “The TA505 may operate in a deliberate way, more cautiously than most of the financially motivated groups we track. “Once things start to develop like this, rest assured that they have a list of goals in their hands and are back to them.”
Threat Intelligence teams can leverage Intel 471 adversary intelligence from major threat groups such as TA 505 and our unique insights into its capabilities, intents, and motivations to stay proactive and protect against attacks when cybercriminals modify TTP.