Researchers from cybersecurity firm PRODAFT have discovered a previously undocumented software control panel, tracked as TeslaGun, used by a cybercrime group known as TA505.
Russian TA505 hacking group, aka Evil Corp, has been active since 2014 focusing on Retail and banking sectors. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.
The TA505 group was involved in campaigns aimed at distributing the Dridex banking Trojan, along with Locky, BitPaymer, Philadelphia, GlobeImposter, and Jaff ransomware families.
The financially-motivated group is known to have used multiple malware in its attacks, including FlawedAmmyy, the ServHelper backdoor and FlawedGrace malware.
The ServHelper backdoor is written in Delphi and according to the experts, the development team continues to update it by implementing new features since 2019. Researchers pointed out that almost every new campaign used a new variant of the malware.