VERY IMPORTANT

Since early September 2021, Proofpoint researchers are tracking renewed malware campaigns by the financially driven TA505. The campaigns, which are distributed across a wide range of industries, started with low volume email waves that ramped up in late September, resulting in tens to hundreds of thousands of emails. Many of the campaigns, especially the large volume ones, strongly resemble the historic TA505 activity from 2019 and 2020. The commonalities include similar domain naming conventions, email lures, Excel file lures, and the delivery of the FlawedGrace remote access trojan (RAT). The campaigns also contain some noteworthy, new developments, such as retooled intermediate loader stages scripted in Rebol and KiXtart, which are used instead of the previously popular Get2 downloader. The new downloaders perform similar functionality of reconnaissance and pulling in the next stages. Lastly, there is an updated version of FlawedGrace.