TA505
Associated Group Descriptions |
|
Name | Description |
---|---|
Hive0065 | (Citation: IBM TA505 April 2020) |
Spandex Tempest | (Citation: Microsoft Threat Actor Naming July 2023) |
CHIMBORAZO | (Citation: Microsoft Threat Actor Naming July 2023) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .003 | Account Discovery: Email Account |
TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.(Citation: Trend Micro TA505 June 2019) |
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
TA505 has registered domains to impersonate services such as Dropbox to distribute malware.(Citation: Korean FSI TA505 2020) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
TA505 has used HTTP to communicate with C2 nodes.(Citation: IBM TA505 April 2020) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
TA505 has used PowerShell to download and execute malware and reconnaissance scripts.(Citation: Proofpoint TA505 Sep 2017)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
TA505 has executed commands using |
||
.005 | Command and Scripting Interpreter: Visual Basic |
TA505 has used VBS for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Trend Micro TA505 June 2019)(Citation: IBM TA505 April 2020) |
||
.007 | Command and Scripting Interpreter: JavaScript |
TA505 has used JavaScript for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
TA505 has used malware to gather credentials from Internet Explorer.(Citation: Proofpoint TA505 Sep 2017) |
Enterprise | T1568 | .001 | Dynamic Resolution: Fast Flux DNS |
TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.(Citation: Trend Micro TA505 June 2019) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
TA505 has used malware to disable Windows Defender.(Citation: Korean FSI TA505 2020) |
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
TA505 has leveraged malicious Word documents that abused DDE.(Citation: Proofpoint TA505 June 2018) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
TA505 has used UPX to obscure malicious code.(Citation: IBM TA505 April 2020) |
.010 | Obfuscated Files or Information: Command Obfuscation |
TA505 has used base64 encoded PowerShell commands.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019) |
||
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
TA505 has password-protected malicious Word documents.(Citation: Proofpoint TA505 Sep 2017) |
||
Enterprise | T1588 | .001 | Obtain Capabilities: Malware |
TA505 has used malware such as Azorult and Cobalt Strike in their operations.(Citation: NCC Group TA505) |
.002 | Obtain Capabilities: Tool |
TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit.(Citation: NCC Group TA505) |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
TA505 has used spearphishing emails with malicious attachments to initially compromise victims.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020) |
.002 | Phishing: Spearphishing Link |
TA505 has sent spearphishing emails containing malicious links.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 Jan 2019)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019) |
||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
TA505 has been seen injecting a DLL into winword.exe.(Citation: IBM TA505 April 2020) |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
TA505 has staged malware on actor-controlled domains.(Citation: Korean FSI TA505 2020) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
TA505 has signed payloads with code signing certificates from Thawte and Sectigo.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: Trend Micro TA505 June 2019) |
.005 | Subvert Trust Controls: Mark-of-the-Web Bypass |
TA505 has used .iso files to deploy malicious .lnk files.(Citation: TrendMicro TA505 Aug 2019) |
||
Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
TA505 has used |
.011 | System Binary Proxy Execution: Rundll32 |
TA505 has leveraged |
||
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
TA505 has used malware to gather credentials from FTP clients and Outlook.(Citation: Proofpoint TA505 Sep 2017) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019) |
.002 | User Execution: Malicious File |
TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020) |
||
Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
TA505 has used stolen domain admin accounts to compromise additional hosts.(Citation: IBM TA505 April 2020) |
References
- Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
- Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
- Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.
- Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
- Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
- Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
- Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
- Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
- Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
- Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
- Trend Micro. (2019, August 27). TA505: Variety in Use of ServHelper and FlawedAmmyy. Retrieved February 22, 2021.
- Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
- Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024..
- Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
- Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
- Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.