TA505 Crime Gang Deploys SDBbot for Corporate Network Takeover

2020-04-14 17:55

The TA505 cybercrime group has ramped up its attacks lately, with a set of campaigns bent on spreading the persistent SDBbot remote-access trojan laterally throughout an entire corporate environment, researchers said.

SDBbot RAT is a custom job that has been observed in TA505 attacks since at least September 2019; it offers remote-access capabilities and has a few spyware aspects, including the ability to exfiltrate data from the victimized devices and networks.

The SDBbot RAT loader meanwhile decompresses and executes the SDBbot payload. Its DLL files were installed as persistence mechanisms, where the loaders were injected into the process winlogon.

In the campaign, TA505 used the initially compromised system to escalate privileges and move laterally across additional systems on the network using the AD credentials harvested earlier, according to the researcher.

It's known for ongoing malware authoring and development, including fully-fledged backdoors and RATs - and the SDBbot campaign is not the only appearance by the gang of late.

News URL

https://threatpost.com/ta505-crime-gang-sdbbot-corporate-network-takeover/154779/

#crime #takeover