Financial organizations are historically among the most targeted by threat actors. There are many reasons for this, not least of which is the trove of customer data the financial sector holds, as well as the funds to pay large sums of money to regain access to encrypted data. Morphisec Labs team has tracked a new version of a campaign targeting financial organizations. Dubbed "MirrorBlast" by ET Labs, the current attack campaign the Labs team has tracked began in early September. There was similar activity in April 2021 as well, but the current campaign began more recently. The attack chain of the infection bears a similarity to the tactics, techniques, and procedures commonly used by the allegedly Russia-based threat group TA505. The similarities extend to the attack chain, the GetandGo functionality, the final payload, and similarities in the domain name pattern. TA505 has been active since at least 2014 and, as far as analysts can ascertain, has a financial motivation for their actions. As a group, TA505 is most known for frequently changing the malware they use as well as driving global trends in malware distribution.
Login to the community
No account yet? Create an account
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.