Contents
General description
The activity of the TA505 group was first discovered and described in 2014, but the group itself is believed to have been around since 2006. The group’s victims feature companies from various sectors around the world. The group employs a wide range of tools, designed to handle any task. Phishing is the main means applied to penetrate an infrastructure. It finds its victims all over the world, avoiding the CIS. According to researchers, the group is presumed to be Russian-speaking. TA505 follows the latest trends, using the COVID-19 theme and ZeroLogon vulnerability in its attacks.
Group's objectives
Cash theft
Tools
- Banking Trojans
- - Dridex
- - Shifu
- - Trickbot
- - Zeus
- RAT
- - FlawedAmmyy
- - FlawedGrace
- - SDBbot
- - BackNet
- - RMS
- Botnets
- - Neutrino
- - Amadey
- - GameOver Zeus
- Backdoor
- - ServHelper
- - FlowerPippi
- Ransomware
- - Locky
- - Jaff
- - GlobeImposter
- - Rapid
- - Clop/CryptoMix
- - MINERBRIDE
- - MINERBRIDE
- - Bart
- - DoppelPaymer
- - Philadelphia
- - Snatch
- Web-shells
- - DEWMODE
- Stealers
- - GraceWire
- - Kegotip
- - EmailStealer
- - Pony
- Frameworks
- - Metasploit
- - Cobalt Strike
- Loaders
- - AndroMut
- - Rockloader
- - Gelup
- - Get2
- - Quant
- - Marap
- Stagers
- - TinyMet
Target sectors
- The finance sector
- The energy sector
- Pharmaceuticals
- Aerospace industry
- State sector
- Research companies
Target countries
- USA
- United Kingdom
- Canada
- South Korea
- China
- France
- Germany
- Hungary
- India
- Italy
- Mexico
- Pakistan
- Malawi
- Taiwan
- Ukraine
Alternative group names
- EvilCorp
- ATK 103
- SectorJ04
- Hive0065
- GRACEFUL SPIDER
- GOLD TAHOE
- Dudear, CHIMBORAZO
Reports by Positive Technologies and other researchers
- https://www.ptsecurity.com/ru-ru/about/news/ta505-stanovitsya-samoy-opasnoy-kiberprestupnoy-gruppirovkoy-v-mire/
- https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/operation-ta505-part1/
- https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/operation-ta505-part2/
- https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/operation-ta505-part3/
- https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/operation-ta505-part4/
- https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
- https://www.proofpoint.com/us/blog/threat-insight/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack
- https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader
- https://www.cyberscoop.com/ta505-south-korea-bank-phishing/
- https://www.bankinfosecurity.com/ta505-apt-group-returns-new-techniques-report-a-13678
- https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/
- https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/
- https://www.avira.com/en/blog/ta505-apt-group-targets-americas
- https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/
- https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
- https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/
- https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
- https://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html
- https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf
- https://yoroi.company/research/ta505-is-expanding-its-operations/
- https://yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/
- https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware
- https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
- https://apt.thaicert.or.th/cgi-bin/showcard.cgi?u=0ac7cc26-cb85-42f7-a2c1-41762b2e2541
MITRE ATT&CK techniques, used by the group
Technique ID | Technique name | Description |
---|---|---|
Initial Access | ||
T1566.001 | Spearphishing Attachment | TA505 sent phishing emails with malicious attachments for the initial compromise of victims. |
T1566.002 | Spearphishing Link | TA505 sent phishing emails with malicious links for the initial compromise of victims. |
T1190 | Exploit Public-Facing Application | TA505 used ZeroLogon. |
Execution | ||
T1559.002 | Dynamic Data Exchange | TA505 used malicious Word documents exploiting DDE. |
T1059.001 | PowerShell | TA505 used PowerShell to upload and execute malware and reconnaissance scripts. |
T1059.005 | Visual Basic | TA505 used VBS for code execution. |
T1059.007 | JavaScript/JScript | TA505 used JavaScript for code execution. |
T1059.003 | Windows Command Shell | TA505 executed commands using cmd.exe. |
T1204.001 | Malicious Link | TA505 asked users to follow links in emails and attachments. |
T1204.002 | Malicious File | TA505 asked users to allow display of attachments and thus executed malicious files. For example, the group disguised its programs as legitimate MS Office, .pdf, or.lnk files. |
T1047 | Windows Management Instrumentation | TA505 used the ServHelper backdoor and sent reconnaissance requests with the help of WMI. |
Persistence | ||
T1574.002 | DLL Side-Loading | TA505 used legitimate software vulnerable to DLL Side-Loading to execute malicious code. |
T1053.005 | Scheduled Task | TA505 used the Gelup loader that gained a foothold on the system by creating entries in the schtasks.exe task scheduler. |
T1547.001 | Registry Run Keys / Startup Folder | TA505 used a registry to gain persistence in the system. |
Privilege Escalation | ||
T1546.011 | Application Shimming | TA505 used the application shimming mechanism in SDBbot to gain persistence in the system. |
T1548.002 | Bypass User Account Control | TA505 bypassed UAC with the help of the task scheduler and by uploading malicious library to legitimate applications with required privileges. |
Defense Evasion | ||
T1027 | Obfuscated Files or Information | TA505 used password-protected malicious Word documents and base64-encoded Powershell scripts. |
T1218.007 | Msiexec | TA505 used msiexec to upload and execute malware. |
T1218.011 | Rundll32 | TA505 used rundll32.exe to execute malicious libraries. |
T1553.002 | Code Signing | TA505 signed malware using the Thawte and Sectigo certificates. |
T1078.002 | Domain Accounts | TA505 used stolen domain administrator accounts to hack other hosts. |
T1027.002 | Software Packing | TA505 used UPX to obfuscate malicious code. |
T1055.001 | Dynamic-link Library Injection | TA505 injected its code by uploading malicious library to winword.exe. |
T1497 | Virtualization/Sandbox Evasion | TA505 used tools that can evade automatic analysis, for example, by requiring a double mouse click on an OLE object in an Office document in order for the latter to be run, which can complicate the work of a sandbox. |
T1211 | Exploitation for Defense Evasion | TA505 bypassed UAC by using the sysprep.exe system utility. |
T1564.003 | Hidden Window | TA505 hid the TeamViewer window in the ServHelper backdoor to obtain hidden remote access. |
Credential Access | ||
T1552.001 | Credentials In Files | TA505 used malware to collect user credentials from the FTP and Outlook clients. |
T1555.003 | Credentials from Web Browsers | TA505 used malware to collect credentials from Internet Explorer. |
Discovery | ||
T1087.003 | Email Account | TA505 used EmailStealer to steal and send lists of email addresses to a remote server. |
T1069 | Permission Groups Discovery | TA505 used TinyMet to obtain a list or privileged users. The group also run the net group /domain. |
Collection | ||
T1056 | Input Capture | TA505 used the ServHelper backdoor that worked as a keylogger. |
Command And Control | ||
T1105 | Ingress Tool Transfer | TA505 downloaded additional malware from C2 to run it on the victim's systems. |
T1568.001 | Fast Flux DNS | TA505 used Fast Flux DNS to disguise botnets by distributing payload using different IP addresses. |
T1071.001 | Web Protocols | TA505 used HTTP to interact with C2 servers. |
Impact | ||
T1486 | Data Encrypted for Impact | TA505 used a wide spectrum of ransomware programs, such as Locky, Jaff, GlobeImposter, Rapid, Clop/Cruptomix, MINERBRIDE, Bart, and DoppelPaymer to encrypt victims' files and demand ransom. |