Hacking group returns, switches from ransomware to trojan malware

[Brink]

A prolific hacking group has returned with a new campaign which looks to deliver a new remote access trojan (RAT) to victims in order to create a backdoor into PCs to steal credentials and banking information.

The campaign is suspected to be the work of TA505, a well-resourced hacking group which has been active since at least 2014. The group has launched some of the largest cyber attack campaigns of recent years, with victims targeted with the Dridex banking trojan, Locky ransomware, Jaff ransomware and more.

Many of these campaigns have been launched with the aid of the Necurs botnet, one of the largest spam generators used by cyber criminals.

Now TA505 is running a new campaign, which has been detailed by researchers at security company Proofpoint. In line with a change of focus by other cyber criminal groups, TA505 has shifted away from ransomware and banking trojans and now appears to focus on RATs -- including one which has only recently appeared and had only been used twice before. In both previous cases, the attackers remain unidentified.

Dubbed tRat by researchers, the malware is predominantly targeting financial institutions and is being distributed with the aim of grabbing credentials, financial data, and other information that would be useful to cyber criminal operations. Researchers also warn that it could have other capabilities that haven't been put into operation yet.

The malware campaign was first detected in late September, with phishing emails offering its targets secure files that need to be opened. If the user opens the attachment, the Word document claims to be protected by security firm Symantec and asks the user to enable macros to see the supposed secure files...

Read more: Hacking group returns, switches attacks from ransomware to trojan malware | ZDNet

 

[ShadouFox]

The malware campaign was first detected in late September, with phishing emails offering its targets secure files that need to be opened. If the user opens the attachment, the Word document claims to be protected by security firm Symantec and asks the user to enable macros to see the supposed secure files...

An oldie, but a goodie. People working at financial institutions receive hundreds of e-mails every day, so who can blame 'em for opening dodgy e-mails? What's a solution here? Never enable macros? Find something other than Word to view documents?