FlowerPippi: A Devious Backdoor Trojan Employed by TA505

FlowerPippi is a backdoor that is closely associated with the infamous Gelup malware, and it is possible that it could be run on the infected machine with other threats at the same time. This malware is a threat for Windows users, and it has been specifically found to affect those living in Argentina, Japan, and the Philippines. Users living in the same region need to be cautious. Both FlowerPippi and Gelup belong to a group known by the name TA505. This malware was spotted in the summer of 2019, and its existence proved how sophisticated cybercriminals have become. Long gone are the days when it was enough to rely on file-sharing sites and torrents for the distribution of malware. Of course, they are used to this day, but cybercriminals have to be more inventive these days, especially if they have specific targets to hit.

It is important to understand FlowerPippi fully and completely to ensure protection against it, and that is why it is important to understand the cybercriminal group that created this threat. According to Trend Micro researchers, TA505 is the group that is responsible for this malware, as well as Gelup. This group has also been found to employ malware created by other cybercriminals, specifically FlawedAmmyy, which is a Trojan downloader. The group was first discovered when it started bombarding Windows users in Morocco, Saudi Arabia, and the United Arab Emirates with malicious spam emails. These emails exposed the recipients to malicious HTML or XLS files, and if the recipients were tricked into opening them, the FlawedAmmyy downloader was dropped silently. Different attack waves were observed, and they could be distinguished by the different subject lines used. A few examples included “Tax Credit Note,” “Confirmation,” “Visa Cancelled,” and “Customer Balance Confirmation.”

During one of the TA505 spam waves, malware researchers observed FlowerPippi to spread via emails targeted at users in Argentina, Japan, and the Philippines. The email messages contained fake DOC and XLS files, and if recipients interacted with them, both FlowerPippi and Gelup were downloaded. The later infection is particularly sophisticated, as it can install itself using advanced techniques, and it also can bypass detection after it is fully established. FlowerPippi is a backdoor that does not have an autorun function and is used solely for the purpose of retrieving malware payload. This malware can also be used to collect data about the user of the infected machine. This information is sent to a C&C server for cybercriminals to analyze. Overall, this piece of malware is unlikely to be used on its own, and it is more likely to be employed in conjunction with other, more versatile infections. By the way, Gelup itself can gather and transfer information too. It goes without saying that any malware tool requires immediate removal, and, according to our research team, components of the malicious backdoor could be found in two separate directories (%APPDATA%\MSOCache and %ALLUSERSPROFILE%) as well as the Windows Registry (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run).

All things considered, if you need to delete FlowerPippi from your operating system, there is a good chance that other threats exist on your operating system and are silently making a mess. Needless to say, virtual security can be jeopardized significantly by malware, and the more infections there are, the bigger security issues might come up. Whether FlowerPippi stands on its own or has been accompanied by other threats, it is best to employ anti-malware software. This software is built to inspect systems, find malware components, and perform automatic removal. While fake, inadequate, and weak anti-malware tools exist, if you choose legitimate and trustworthy software, you will not need to worry about having your system fully cleaned and also protected. After you have all threats deleted, it is crucial to ensure full-time Windows protection because unprotected systems are the first ones to be attacked. Of course, it is also important to stay away from emails that could contain malicious attachments and links.

Reference

Hiroaki, H. and Lu, L. July 4, 2019. Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi. Trend Micro.