Get2
Get2 is a Trojan downloader in use by the TA505 threat actor. It may download a range of files and threats automatically, including Remote Access Trojans, that can help attackers take over your PC. Users can monitor their e-mail accounts for potential attacks and have their anti-malware products delete Get2 as they detect it.
A Go-Getter for Fellow Trojans
While the high-volume attacks of the TA505 threat actor always are profit-oriented, the software they use can change. Get2 is a somewhat fresh addition to their toolkit, which includes AndroMut (a Trojan downloader just like Get2), Remote Access Trojans like the FlawedAmmyy RAT, or Ammyy, and even file-locking Trojans. In Get2's case, its existence highlights the vulnerability dependancies of even the most efficient and business-like of threat actors.
Get2's campaigns to date come in multiple languages tailored to their targets (typically, workers at enterprise-grade entities) with e-mail content such as fake invoices, job applications or industry news. Two different infection methods are in use, so far: obfuscated links that pretend that they're leading to Dropbox, and directly-attached files. In both cases, the download is a corrupted Excel spreadsheet containing the macro for Get2.
Get2 is a C++ application with the usual threat-introduction features that malware experts see in similar Trojan downloaders. It has few other capabilities besides transferring a handful of system environmental information and, optionally, abusing DLL injection for installing its payload. TA505 uses it for dropping threats with corrupted remote admin features, such as:
- The FlawedGrace RAT.
- The FlawedAmmyy RAT.
- The SDBBot Remote Access Trojan (a newer Trojan).
RATs are best differentiated from commonplace backdoor Trojans by their including additional UI and command support for modifying the system's settings and files, or exercising control over mouse and keyboard input. They also are highly likely to collect credentials and help an attacker compromise local networks.
Making Delivery Trojans Get Gone
Updates to Get2 include the DLL injection, which isn't a part of its earliest versions, among other minor changes. The macro that Get2 uses, also, is noteworthy, for containing iterative improvements throughout its campaigns, and code that's from the Stack Overflow programming resource site. Even while they're using conventional strategies, TA505 is updating and maintaining the delivery methods for their latest tools on a campaign-by-campaign basis.
The use of macros also provides a last point of escape for the victim. Users have to enable the macro or 'advanced content' in the spreadsheet deliberately since the current Office releases disable macros by default. Afterward, symptoms of Get2 infections and the related Trojan RATs' introduction are not visually noticeable. TA505 is a threat actor that's all about the money, and Get2 is another way of their positioning themselves for getting it. Business employees are reminded to view all incoming downloads with due suspicion since no security can overcome a worker who makes poor decisions.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.