Pro Hacking Groups Are Pivoting To New Form Of Malware With ‘AndroMut’, Targeting Financial Information And Banks Using Social Engineering

A professional hacking group with sophisticated techniques to execute phishing and other forms of malware attacks appears to be altering its direction. With a clear aim to prioritize quality over quantity, the infamous TA505 group of hackers has pivoted using a new form of malicious code named AndroMut. Interestingly, the malware appears to be inspired by Andromeda. Originally designed by another hacking group, Andromeda was one of the largest malware botnets in the world as recently as in 2017. Botnets based on the Andromeda code successfully executed its payload delivery on several suspectable and vulnerable PCs running Windows Operating System. The AndroMut seems to be largely based on this very Andromeda code indicating a possible collaboration between the hacker groups.

One of the world’s most successful cybercriminal groups, who call themselves the TA505, appears to have altered its tactics. As part of the latest malicious campaign of attacking and stealing financial information, the group is busy distributing a new form of malware. Instead of targeting a large number of individuals, as part of the pivot, the TA505 group appears to be going after banks and other financial services. Incidentally, the point of entry or origin does remain the same, but the intended target and focus appear to be on the organized financial sector. Incidentally, financial companies in the US, the United Arab Emirates and Singapore are advised to be on high alert and look for any suspicious content. Some of the most common points of the attack remain to be official-looking emails.

TA505 Group Uses Andromeda Base To Develop And Deploy AndroMut

The infamous TA505 group appears to have increased its intensity during the last month and has continued with the same ferocity. It is no longer attempting to deploy random waves of attacks that attempt to gain control of victims’ machines. In other words, mass phishing emails are no longer the preferred tactics. Instead, the TA505 group has significantly lowered the volume of attacks and has clearly switched to more targeted attacks.

Based on the analysis of several suspected emails and other forms of electronic communication and media, cyber-security researchers at Proofpoint have indicated that the group of hackers appears to be targeting employees of banks and other financial service providers. The researchers have also uncovered the usage of a new form of sophisticated malware. The researchers are calling it AndroMut and have discovered that the malware has quite a few similarities with Andromeda. Designed and deployed by an entirely different group of hackers, Andromeda has been one of the most successfully executed, dangerous and one of the largest network of malware botnets in the world. Up until 2017, Andromeda was spreading prolifically, and successfully installing itself on vulnerable PCs running the Windows operating system.

How Is The TA505 Group Executing The Malware Attack?

Like most of the other TA505 group’s attacks, the new AndroMut malware too is distributed through legitimate-looking emails. The phishing attacks involve emails that look and feel highly official and authentic. Such emails usually claim to contain invoices and other documents purporting to be related to banking and finance. Emails used in phishing are often painstakingly created. Although several emails contain the popular PDF document, phishing emails from the TA505 group seem to rely on Word documents.

Once the unsuspecting victim opens the laced Word document, the group relies on social engineering to continue the attack. This may sound complicated, but actually, the attack relies on a rather ancient method of ‘macros’ in Word document. Targets are informed that the information is ‘protected’ and they need to enable editing to see its contents. Doing so enables macros and allows AndroMut to be delivered to the machine. This malware then discreetly downloads FlawedAmmyy. Once both are installed, the victims’ machines are fully compromised.

What Is AndroMut And How Does The Multi-Stage Malware Work?

TA505 is currently using AndroMut as the first stage in a two-stage attack. In other words, AndroMut is the first part of a successful infection and control of victims’ computers. Once successful in penetration, AndroMut uses the infection to discreetly drop a second payload onto the compromised machine. The second payload of malicious code is called FlawedAmmyy. Essentially, FlawedAmmyy is a powerful and efficient Remote Access Trojan or RAT.

The aggressive second-stage RAT FlawedAmmyy is a virulent malware that grants remote access to the victims’ computers. Attackers can gain remote Administrative privileges. Once inside, attackers have complete access to files, credentials and more.

Incidentally, the data, in itself, is not the target. In other words, stealing data is not the primary intention. As part of the pivot, the TA505 group is after information that grants them access to the internal network of banks and other financial institutions.

TA505 Group Is Following The Money, Say Experts:

Speaking about the activities of the hacking group, Chris Dawson, threat intelligence lead at Proofpoint said, “A505’s move to primarily distributing RATs and downloaders in much more targeted campaigns than they previously employed with banking Trojans and ransomware suggests a fundamental shift in their tactics. Essentially the group is going after higher quality infections with the potential for longer-term monetization – quality over quantity.”

Cybercriminals are essentially fine-tuning their attacks, and are selecting their targets instead of undertaking massive emailing campaigns and hoping to snag victims. They are after the data, and more importantly, sensitive information, to steal money. The latest pivot is essentially just an example of hackers following the market and money. Hence the shift in strategy shouldn’t be considered permanent, observed Dawson, “What is not clear is the ultimate outcome or endgame of this shift. A505 very much follows the money, adapting to global trends and exploring new geographies and payloads to maximize their returns.”


Alap Naik Desai

A B.Tech Plastics (UDCT) and a Windows enthusiast. Optimizing the OS, exploring software, searching and deploying solutions to strange and weird issues is Alap's main interest.