TA505 targets the US retail industry with personalized attachments

Share with your network!


Since November 15, 2018, Proofpoint began observing email campaigns from a specific actor targeting large retail chains, restaurant chains and grocery chains, as well as other organizations in the food and beverage industries. These email campaigns attempted to deliver various malware families, including Remote Manipulator System (RMS) and FlawedAmmyy, among others.

We also observed personalization of attachments in one such campaign. These attachments included the targeted company’s logo in the body of the attachment to make messages more believable.

We attributed these campaigns to TA505, the actor behind the largest Dridex and Locky ransomware campaigns of the last two years and more recently associated with distribution of remote access Trojans (RATs) and downloaders. This change in tactics -- the use of personalized attachments in moderately large campaigns combined with retail industry targeting -- arrives just in time for the holiday shopping season.

Campaign Details

On December 3, 2018, we observed a TA505 campaign targeting almost exclusively retail, grocery, and restaurant chains. This campaign distributed tens of thousands of messages. 

More interestingly, each intended target received a personalized attachment, a technique that TA505 has not previously used. The email (Figure 1) purported to be sent from a Ricoh printer and contain a scanned document. The bogus scan was actually a malicious Microsoft Word attachment (Figure 2). The document attached was unique to the targeted company, and even contained the targeted company’s logo in the document lure (blurred in the figure with a black box).

The document contains macros that, if enabled, downloaded and executed an MSI file. The execution leads to the installation of Remote Manipulator System (RMS) with a settings file that contains a custom command and control (C&C) address.

Figure 1: Email used in attempts to deliver malicious document on December 3

The lure shown in Figure 2 continues the social engineering introduced in the email, enticing recipients to enable macros so that they can view the contents of the fake scanned document.

Figure 2: Attached document with the logo blacked out and social engineering to trick recipients into enabling macros


TA505 has helped shape the threat landscape for years, largely because of the massive volumes associated with their campaigns through the end of 2017. When this group changes tactics, it tends to correspond to broader shifts and, throughout the year, we have seen both TA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking Trojans, often in smaller, more targeted campaigns. Threat actors follow the money and, with dropping cryptocurrency values, the return on investment in better targeting, improved social engineering, and management of persistent infections now seems to be greater than that for large “smash and grab” ransomware campaigns.

Given the ongoing holiday shopping season, the clear US retail and grocery targeting associated with these campaigns, and the nature of the malware they are distributing -- RATs and backdoors -- TA505 appears poised to take advantage of increased activity in this sector through the end of the year.

Indicators of Compromise (IOCs)


IOC Type




Document payload



RMS MSI dropper



Self-extracting RAR containing RMS







0F 2B 44 E3 98 BA 76 C5 F5 77 79 C4 15 48 60 7B

Certificate Serial

Serial number of the code signing certificate



Subject name of the code signing certificate


ET and ETPRO Suricata/Snort Signatures

2812668          ETPRO POLICY Remote Utilities Access Tool Activity