Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа TA551
Риски
Каталоги
MITRE ATT&CK
Преступная группа
TA551
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. (Citation: Unit 42 TA551 Jan 2021)
ID: G0127
Associated Groups: GOLD CABIN, Shathak
Version: 1.2
Created: 19 Mar 2021
Last Modified: 16 Apr 2025

Associated Group Descriptions
Name Description
GOLD CABIN (Citation: Secureworks GOLD CABIN)
Shathak (Citation: Unit 42 Valak July 2020)(Citation: Unit 42 TA551 Jan 2021)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TA551 has used HTTP for C2 communications.(Citation: Unit 42 Valak July 2020)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

TA551 has used cmd.exe to execute commands.(Citation: Unit 42 TA551 Jan 2021)
Enterprise T1132 .001 Data Encoding: Standard Encoding

TA551 has used encoded ASCII text for initial C2 communications.(Citation: Unit 42 Valak July 2020)
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

TA551 has used a DGA to generate URLs from executed macros.(Citation: Unit 42 TA551 Jan 2021)(Citation: Secureworks GOLD CABIN)
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

TA551 has used spoofed company emails that were acquired from email clients on previously infected hosts to target other individuals.(Citation: Unit 42 TA551 Jan 2021)
Enterprise T1027 .003 Obfuscated Files or Information: Steganography

TA551 has hidden encoded data for malware DLLs in a PNG.(Citation: Unit 42 TA551 Jan 2021)
.010 Obfuscated Files or Information: Command Obfuscation

TA551 has used obfuscated variable names in a JavaScript configuration file.(Citation: Unit 42 Valak July 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA551 has sent spearphishing attachments with password protected ZIP files.(Citation: Unit 42 Valak July 2020)(Citation: Unit 42 TA551 Jan 2021)(Citation: Secureworks GOLD CABIN)
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

TA551 has used mshta.exe to execute malicious payloads.(Citation: Unit 42 TA551 Jan 2021)
.010 System Binary Proxy Execution: Regsvr32

TA551 has used regsvr32.exe to load malicious DLLs.(Citation: Unit 42 Valak July 2020)

.011 System Binary Proxy Execution: Rundll32

TA551 has used rundll32.exe to load malicious DLLs.(Citation: Unit 42 TA551 Jan 2021)

Enterprise T1204 .002 User Execution: Malicious File

TA551 has prompted users to enable macros within spearphishing attachments to install malware.(Citation: Unit 42 TA551 Jan 2021)

Software
ID Name References Techniques
S0633 Sliver (Citation: Bishop Fox Sliver Framework August 2019) (Citation: Cybereason Sliver Undated) Screen Capture, Standard Encoding, Encrypted/Encoded File, Bypass User Account Control, DNS, Symmetric Cryptography, Application Layer Protocol, Process Injection, LSASS Memory, System Network Configuration Discovery, Golden Ticket, File and Directory Discovery, System Network Connections Discovery, Exfiltration Over C2 Channel, PowerShell, Obfuscated Files or Information, Asymmetric Cryptography, Compile After Delivery, Access Token Manipulation, Web Protocols, Ingress Tool Transfer, Steganography, Internal Proxy
S0386 Ursnif (Citation: Cybereason Valak May 2020) (Citation: Dreambot) (Citation: FireEye Ursnif Nov 2017) (Citation: Gozi-ISFB) (Citation: NJCCIC Ursnif Sept 2016) (Citation: PE_URSNIF) (Citation: ProofPoint Ursnif Aug 2016) (Citation: Secureworks GOLD CABIN) (Citation: TrendMicro Ursnif Mar 2015) (Citation: Unit 42 TA551 Jan 2021) (Citation: Unit 42 Valak July 2020) Windows Management Instrumentation, Screen Capture, Encrypted/Encoded File, Domain Generation Algorithms, Local Data Staging, Match Legitimate Resource Name or Location, Taint Shared Content, Windows Service, Component Object Model, System Service Discovery, System Information Discovery, Native API, Replication Through Removable Media, Data from Local System, Deobfuscate/Decode Files or Information, Time Based Evasion, Browser Session Hijacking, Modify Registry, Proxy, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Registry Run Keys / Startup Folder, Multi-hop Proxy, Process Hollowing, Query Registry, Hidden Window, Data Encoding, Command Obfuscation, File Deletion, Web Protocols, Visual Basic, Thread Local Storage, Ingress Tool Transfer, Credential API Hooking, Custom Command and Control Protocol
S0483 IcedID (Citation: Cybereason Valak May 2020) (Citation: IBM IcedID November 2017) (Citation: Juniper IcedID June 2020) (Citation: Secureworks GOLD CABIN) (Citation: Unit 42 TA551 Jan 2021) (Citation: Unit 42 Valak July 2020) Scheduled Task, Windows Management Instrumentation, Rundll32, Embedded Payloads, Encrypted/Encoded File, Permission Groups Discovery, Match Legitimate Resource Name or Location, Domain Account, Malicious File, Spearphishing Attachment, Network Share Discovery, System Information Discovery, Msiexec, Native API, Browser Session Hijacking, System Network Configuration Discovery, Domain Trust Discovery, Asynchronous Procedure Call, Virtualization/Sandbox Evasion, Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Registry Run Keys / Startup Folder, Process Hollowing, Asymmetric Cryptography, System Language Discovery, Steganography, Security Software Discovery, Drive-by Compromise, Software Packing, Web Protocols, Visual Basic, Ingress Tool Transfer
S0476 Valak (Citation: Cybereason Valak May 2020) (Citation: Secureworks GOLD CABIN) (Citation: Unit 42 TA551 Jan 2021) (Citation: Unit 42 Valak July 2020) Scheduled Task, Windows Management Instrumentation, Screen Capture, Fileless Storage, System Owner/User Discovery, Standard Encoding, JavaScript, Domain Account, Dynamic Data Exchange, Malicious File, Local Account, Spearphishing Link, Spearphishing Attachment, Automated Collection, Credentials in Registry, System Information Discovery, Deobfuscate/Decode Files or Information, Modify Registry, System Network Configuration Discovery, Multi-Stage Channels, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Obfuscated Files or Information, Remote Email Collection, Regsvr32, Query Registry, Security Software Discovery, Windows Credential Manager, Software Packing, Web Protocols, Ingress Tool Transfer, Fallback Channels, NTFS File Attributes
S0650 QakBot (Citation: ATT QakBot April 2021) (Citation: Kaspersky QakBot September 2021) (Citation: Pinkslipbot) (Citation: QBot) (Citation: QuackBot) (Citation: Red Canary Qbot) (Citation: Trend Micro Qakbot December 2020) Scheduled Task, Windows Management Instrumentation, Fileless Storage, System Owner/User Discovery, Rundll32, Standard Encoding, Keylogging, JavaScript, Steal Web Session Cookie, Domain Generation Algorithms, Internet Connection Discovery, Local Data Staging, Local Email Collection, Masquerade File Type, Malicious File, Symmetric Cryptography, Windows Service, System Checks, Spearphishing Link, Spearphishing Attachment, DLL, Code Signing, Network Share Discovery, Peripheral Device Discovery, System Information Discovery, Msiexec, Native API, Replication Through Removable Media, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Application Window Discovery, Time Based Evasion, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Credentials from Web Browsers, Binary Padding, External Proxy, System Network Configuration Discovery, Domain Trust Discovery, File and Directory Discovery, System Network Connections Discovery, Mark-of-the-Web Bypass, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Local Groups, Brute Force, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Obfuscated Files or Information, Regsvr32, Non-Application Layer Protocol, Security Software Discovery, Windows Command Shell, HTML Smuggling, Command Obfuscation, File Deletion, Software Packing, Web Protocols, Visual Basic, Remote System Discovery, Software Discovery, Ingress Tool Transfer, Hidden Files and Directories, Malicious Link, System Time Discovery

References

  1. Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025.
  2. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  3. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  4. Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.