Cybersecurity researchers have offered insight into a previously undocumented software control panel used by a financially motivated threat group known as TA505.
“The group frequently changes its malware attack strategies in response to global cybercrime trends,” Swiss cybersecurity firm PRODAFT said in a report shared with The Hacker News. “It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on.”
Also tracked under the names Evil Corp, Gold Drake, Dudear, Indrik Spider, and SectorJ04, TA505 is an aggressive Russian cybercrime syndicate behind the infamous Dridex banking trojan and which has been linked to a number of ransomware campaigns in recent years.
It’s also said to be connected to the Raspberry Robin attacks that emerged in September 2021, with similarities uncovered between the malware and Dridex.
Other notable malware families associated with the group include FlawedAmmyy, Neutrino botnet, and a backdoor codenamed ServHelper, one variant of which is capable of downloading a remote access trojan called FlawedGrace.
The control panel, called TeslaGun, is said to be used by the adversary to manage the ServHelper implant, working as a command-and-control (C2) framework to commandeer the compromised machines.
Additionally, the panel offers the ability for the attackers to issue commands, not to mention send a single command to all victim devices in go or configure the panel such that a predefined command is automatically run when a new victim is added to the panel.
“The TeslaGun panel has a pragmatic, minimalist design. The main dashboard only contains infected victim data, a generic comment section for each victim, and several options for filtering victim records,” the researchers said.
Aside from using the panel, the threat actors are also known to employ a remote desktop protocol (RDP) tool to manually connect to the targeted systems via RDP tunnels.
PRODAFT’s analysis of TeslaGun victim data shows that the group’s phishing and targeted campaigns have hit at least 8,160 targets since July 2020. A majority of those victims are located in the U.S. (3,667), followed by Russia (647), Brazil (483), Romania (444), and the U.K. (359).
“It is clear that TA505 is actively looking for online banking or retail users, including crypto-wallets and e-commerce accounts,” the researchers noted, citing comments made by the adversarial group in the TeslaGun panel.
The findings also come as the U.S. Department of Health and Human Services (HHS) warned of significant threats posed by the group to the health sector via data exfiltration attacks that aim to steal intellectual property and ransomware operations.
“Evil Corp has a wide set of highly-capable tools at their disposal,” the agency’s Health Sector Cybersecurity Coordination Center (HC3) said in an advisory published late last month.
“These are developed and maintained in-house, but are often used in conjunction with commodity malware, living-off-the-land techniques and common security tools that were designed for legitimate and lawful security assessments.”