Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа TA505
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
TA505
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

TA505

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020)
ID: G0092
Associated Groups: Hive0065
Version: 2.0
Created: 28 May 2019
Last Modified: 13 Oct 2022

Associated Group Descriptions
Name Description
Hive0065 (Citation: IBM TA505 April 2020)

Techniques Used
Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.(Citation: Trend Micro TA505 June 2019)
Enterprise T1583 .001 Acquire Infrastructure: Domains

TA505 has registered domains to impersonate services such as Dropbox to distribute malware.(Citation: Korean FSI TA505 2020)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TA505 has used HTTP to communicate with C2 nodes.(Citation: IBM TA505 April 2020)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TA505 has used PowerShell to download and execute malware and reconnaissance scripts.(Citation: Proofpoint TA505 Sep 2017)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)
.003 Command and Scripting Interpreter: Windows Command Shell

TA505 has executed commands using cmd.exe.(Citation: Trend Micro TA505 June 2019)

.005 Command and Scripting Interpreter: Visual Basic

TA505 has used VBS for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Trend Micro TA505 June 2019)(Citation: IBM TA505 April 2020)

.007 Command and Scripting Interpreter: JavaScript

TA505 has used JavaScript for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

TA505 has used malware to gather credentials from Internet Explorer.(Citation: Proofpoint TA505 Sep 2017)
Enterprise T1568 .001 Dynamic Resolution: Fast Flux DNS

TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.(Citation: Trend Micro TA505 June 2019)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

TA505 has used malware to disable Windows Defender.(Citation: Korean FSI TA505 2020)
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

TA505 has leveraged malicious Word documents that abused DDE.(Citation: Proofpoint TA505 June 2018)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

TA505 has used UPX to obscure malicious code.(Citation: IBM TA505 April 2020)
Enterprise T1588 .001 Obtain Capabilities: Malware

TA505 has used malware such as Azorult and Cobalt Strike in their operations.(Citation: NCC Group TA505)
.002 Obtain Capabilities: Tool

TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit.(Citation: NCC Group TA505)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA505 has used spearphishing emails with malicious attachments to initially compromise victims.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)
.002 Phishing: Spearphishing Link

TA505 has sent spearphishing emails containing malicious links.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 Jan 2019)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

TA505 has been seen injecting a DLL into winword.exe.(Citation: IBM TA505 April 2020)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

TA505 has staged malware on actor-controlled domains.(Citation: Korean FSI TA505 2020)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

TA505 has signed payloads with code signing certificates from Thawte and Sectigo.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: Trend Micro TA505 June 2019)
.005 Subvert Trust Controls: Mark-of-the-Web Bypass

TA505 has used .iso files to deploy malicious .lnk files.(Citation: TrendMicro TA505 Aug 2019)

Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

TA505 has used msiexec to download and execute malicious Windows Installer files.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: Trend Micro TA505 June 2019)
.011 System Binary Proxy Execution: Rundll32

TA505 has leveraged rundll32.exe to execute malicious DLLs.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

TA505 has used malware to gather credentials from FTP clients and Outlook.(Citation: Proofpoint TA505 Sep 2017)
Enterprise T1204 .001 User Execution: Malicious Link

TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)
.002 User Execution: Malicious File

TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

TA505 has used stolen domain admin accounts to compromise additional hosts.(Citation: IBM TA505 April 2020)

Software
ID Name References Techniques
S0266 TrickBot (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Fidelis TrickBot Oct 2016) (Citation: IBM TA505 April 2020) (Citation: IBM TrickBot Nov 2016) (Citation: Microsoft Totbrick Oct 2017) (Citation: Proofpoint TA505 Sep 2017) (Citation: S2 Grupo TrickBot June 2017) (Citation: Totbrick) (Citation: Trend Micro Totbrick Oct 2016) (Citation: TrendMicro Trickbot Feb 2019) (Citation: TSPY_TRICKLOAD) System Information Discovery, System Owner/User Discovery, Component Object Model, Scheduled Task, Uncommonly Used Port, Bootkit, Browser Session Hijacking, Native API, PowerShell, Exfiltration Over C2 Channel, Fallback Channels, VNC, Obfuscated Files or Information, Windows Service, Software Packing, Credentials In Files, Malicious File, Symmetric Cryptography, Local Account, Network Share Discovery, Standard Encoding, Spearphishing Link, Data from Local System, Disable or Modify Tools, Permission Groups Discovery, Credentials in Registry, Process Discovery, Email Account, Time Based Evasion, Remote Access Software, Windows Command Shell, Masquerading, Firmware Corruption, Deobfuscate/Decode Files or Information, Remote System Discovery, Non-Standard Port, Password Managers, Modify Registry, Code Signing, Credential Stuffing, File and Directory Discovery, Credential API Hooking, System Service Discovery, Ingress Tool Transfer, Process Injection, Commonly Used Port, External Proxy, Process Hollowing, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Web Protocols, Credentials from Web Browsers, Domain Trust Discovery, System Network Configuration Discovery, Spearphishing Attachment
S0039 Net (Citation: Microsoft Net Utility) (Citation: Savill 1999) (Citation: Trend Micro TA505 June 2019) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S1025 Amadey (Citation: BlackBerry Amadey 2020) (Citation: Korean FSI TA505 2020) File and Directory Discovery, Obfuscated Files or Information, Fast Flux DNS, Security Software Discovery, Native API, Data from Local System, Exfiltration Over C2 Channel, Mark-of-the-Web Bypass, Ingress Tool Transfer, System Information Discovery, Modify Registry, Registry Run Keys / Startup Folder, Deobfuscate/Decode Files or Information, System Owner/User Discovery, System Location Discovery, Web Protocols, System Network Configuration Discovery
S0521 BloodHound (Citation: CrowdStrike BloodHound April 2018) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound) (Citation: NCC Group TA505) Domain Groups, Group Policy Discovery, Archive Collected Data, Password Policy Discovery, Local Groups, Domain Account, Local Account, System Owner/User Discovery, Remote System Discovery, Native API, PowerShell, Domain Trust Discovery
S0460 Get2 (Citation: Proofpoint TA505 October 2019) Dynamic-link Library Injection, Process Discovery, System Information Discovery, Command and Scripting Interpreter, System Owner/User Discovery, Web Protocols
S0194 PowerSploit (Citation: GitHub PowerSploit May 2012) (Citation: NCC Group TA505) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) Path Interception by PATH Environment Variable, Keylogging, Reflective Code Loading, Credentials in Registry, Indicator Removal from Tools, Audio Capture, Windows Management Instrumentation, Path Interception by Unquoted Path, Query Registry, Data from Local System, Group Policy Preferences, Path Interception, Dynamic-link Library Injection, Obfuscated Files or Information, Access Token Manipulation, Windows Service, Screen Capture, Registry Run Keys / Startup Folder, Scheduled Task, DLL Search Order Hijacking, Path Interception by Search Order Hijacking, Kerberoasting, Local Account, Security Support Provider, Process Discovery, Windows Credential Manager, PowerShell, Domain Trust Discovery, LSASS Memory
S0383 FlawedGrace (Citation: Proofpoint TA505 Jan 2019) (Citation: Proofpoint TA505 October 2019) (Citation: Trend Micro TA505 June 2019) Commonly Used Port, Obfuscated Files or Information, Custom Command and Control Protocol
S0381 FlawedAmmyy (Citation: Proofpoint TA505 Mar 2018) (Citation: Proofpoint TA505 October 2019) (Citation: Trend Micro TA505 June 2019) Windows Command Shell, System Information Discovery, Keylogging, Commonly Used Port, System Owner/User Discovery, Windows Management Instrumentation, Registry Run Keys / Startup Folder, PowerShell, Security Software Discovery, Rundll32, Peripheral Device Discovery, Web Protocols, Exfiltration Over C2 Channel, Screen Capture, Ingress Tool Transfer, Input Capture, Symmetric Cryptography, Data from Local System, Clipboard Data, Data Obfuscation, Msiexec, File Deletion, Local Groups
S0461 SDBbot (Citation: IBM TA505 April 2020) (Citation: Proofpoint TA505 October 2019) File and Directory Discovery, Indicator Removal, Deobfuscate/Decode Files or Information, Proxy, Application Shimming, Dynamic-link Library Injection, Rundll32, Software Packing, System Location Discovery, Registry Run Keys / Startup Folder, Data from Local System, Remote Desktop Protocol, Ingress Tool Transfer, System Information Discovery, Video Capture, Image File Execution Options Injection, System Network Configuration Discovery, System Owner/User Discovery, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Process Discovery, Windows Command Shell, Obfuscated Files or Information, File Deletion
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: NCC Group TA505) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0382 ServHelper (Citation: Cybereason TA505 April 2019) (Citation: Deep Instinct TA505 Apr 2019) (Citation: Proofpoint TA505 Jan 2019) (Citation: Trend Micro TA505 June 2019) Windows Command Shell, Asymmetric Cryptography, Web Protocols, Ingress Tool Transfer, Local Account, System Information Discovery, Remote Desktop Protocol, Registry Run Keys / Startup Folder, Commonly Used Port, PowerShell, System Owner/User Discovery, Rundll32, File Deletion, Scheduled Task
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: NCC Group TA505) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0611 Clop (Citation: Cybereason Clop Dec 2020) (Citation: Mcafee Clop Aug 2019) (Citation: Unit42 Clop April 2021) Security Software Discovery, Service Stop, Deobfuscate/Decode Files or Information, Native API, Time Based Evasion, Disable or Modify Tools, Software Packing, System Language Discovery, File and Directory Discovery, Process Discovery, Windows Command Shell, Code Signing, Modify Registry, Network Share Discovery, Inhibit System Recovery, Data Encrypted for Impact, Msiexec
S0384 Dridex (Citation: Bugat v5) (Citation: Checkpoint Dridex Jan 2021) (Citation: Dell Dridex Oct 2015) (Citation: IBM TA505 April 2020) (Citation: Kaspersky Dridex May 2017) (Citation: Proofpoint TA505 June 2018) (Citation: Proofpoint TA505 Sep 2017) (Citation: Treasury EvilCorp Dec 2019) Symmetric Cryptography, Remote Access Software, Native API, Browser Session Hijacking, Software Discovery, Web Protocols, Asymmetric Cryptography, Obfuscated Files or Information, Proxy, System Information Discovery, Multi-hop Proxy, Malicious File
S0552 AdFind (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: NCC Group TA505) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Trust Discovery, Domain Groups, System Network Configuration Discovery, Remote System Discovery, Domain Account
S0344 Azorult (Citation: NCC Group TA505) (Citation: Proofpoint Azorult July 2018) (Citation: Unit42 Azorult Nov 2018) Create Process with Token, File Deletion, Symmetric Cryptography, System Owner/User Discovery, Process Hollowing, Query Registry, Deobfuscate/Decode Files or Information, Credentials In Files, Credentials from Web Browsers, Ingress Tool Transfer, System Time Discovery, System Network Configuration Discovery, File and Directory Discovery, System Information Discovery, Screen Capture, Process Discovery

References

  1. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  2. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  3. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  4. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  5. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  6. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  7. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
  8. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  9. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  10. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  11. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  12. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  13. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  14. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.
  15. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  16. Trend Micro. (2019, August 27). TA505: Variety in Use of ServHelper and FlawedAmmyy. Retrieved February 22, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.