Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. (Citation: Unit 42 TA551 Jan 2021)

ID: G0127

Associated Groups: GOLD CABIN, Shathak

Version: 1.1

Created: 19 Mar 2021

Last Modified: 30 Sep 2021

Name	Description
Associated Group Descriptions
GOLD CABIN	(Citation: Secureworks GOLD CABIN)
Shathak	(Citation: Unit 42 Valak July 2020)(Citation: Unit 42 TA551 Jan 2021)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	TA551 has used HTTP for C2 communications.(Citation: Unit 42 Valak July 2020)
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	TA551 has used `cmd.exe` to execute commands.(Citation: Unit 42 TA551 Jan 2021)
Enterprise	T1132	.001	Data Encoding: Standard Encoding	TA551 has used encoded ASCII text for initial C2 communications.(Citation: Unit 42 Valak July 2020)
Enterprise	T1568	.002	Dynamic Resolution: Domain Generation Algorithms	TA551 has used a DGA to generate URLs from executed macros.(Citation: Unit 42 TA551 Jan 2021)(Citation: Secureworks GOLD CABIN)
Enterprise	T1589	.002	Gather Victim Identity Information: Email Addresses	TA551 has used spoofed company emails that were acquired from email clients on previously infected hosts to target other individuals.(Citation: Unit 42 TA551 Jan 2021)
Enterprise	T1027	.003	Obfuscated Files or Information: Steganography	TA551 has hidden encoded data for malware DLLs in a PNG.(Citation: Unit 42 TA551 Jan 2021)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	TA551 has sent spearphishing attachments with password protected ZIP files.(Citation: Unit 42 Valak July 2020)(Citation: Unit 42 TA551 Jan 2021)(Citation: Secureworks GOLD CABIN)
Enterprise	T1218	.005	System Binary Proxy Execution: Mshta	TA551 has used mshta.exe to execute malicious payloads.(Citation: Unit 42 TA551 Jan 2021)
		.010	System Binary Proxy Execution: Regsvr32	TA551 has used regsvr32.exe to load malicious DLLs.(Citation: Unit 42 Valak July 2020)
		.011	System Binary Proxy Execution: Rundll32	TA551 has used rundll32.exe to load malicious DLLs.(Citation: Unit 42 TA551 Jan 2021)
Enterprise	T1204	.002	User Execution: Malicious File	TA551 has prompted users to enable macros within spearphishing attachments to install malware.(Citation: Unit 42 TA551 Jan 2021)

ID	Name	References	Techniques
Software
S0386	Ursnif	(Citation: Cybereason Valak May 2020) (Citation: Dreambot) (Citation: FireEye Ursnif Nov 2017) (Citation: Gozi-ISFB) (Citation: NJCCIC Ursnif Sept 2016) (Citation: PE_URSNIF) (Citation: ProofPoint Ursnif Aug 2016) (Citation: Secureworks GOLD CABIN) (Citation: TrendMicro Ursnif Mar 2015) (Citation: Unit 42 TA551 Jan 2021) (Citation: Unit 42 Valak July 2020)	System Service Discovery, Registry Run Keys / Startup Folder, Ingress Tool Transfer, Obfuscated Files or Information, Multi-hop Proxy, Local Data Staging, Native API, Time Based Evasion, Custom Command and Control Protocol, Component Object Model, Credential API Hooking, Process Discovery, Exfiltration Over C2 Channel, Data Encoding, Thread Local Storage, Deobfuscate/Decode Files or Information, Match Legitimate Name or Location, Data from Local System, Screen Capture, Windows Service, PowerShell, Web Protocols, File Deletion, Query Registry, Modify Registry, Domain Generation Algorithms, Visual Basic, System Information Discovery, Proxy, Windows Management Instrumentation, Process Hollowing, Browser Session Hijacking, Taint Shared Content, Replication Through Removable Media, Hidden Window
S0483	IcedID	(Citation: Cybereason Valak May 2020) (Citation: IBM IcedID November 2017) (Citation: Juniper IcedID June 2020) (Citation: Secureworks GOLD CABIN) (Citation: Unit 42 TA551 Jan 2021) (Citation: Unit 42 Valak July 2020)	Msiexec, Permission Groups Discovery, Scheduled Task, Malicious File, Obfuscated Files or Information, Native API, Steganography, Domain Account, Windows Management Instrumentation, Visual Basic, Asynchronous Procedure Call, Ingress Tool Transfer, Spearphishing Attachment, Web Protocols, Browser Session Hijacking, Registry Run Keys / Startup Folder, Software Packing, System Information Discovery, Asymmetric Cryptography
S0476	Valak	(Citation: Cybereason Valak May 2020) (Citation: Secureworks GOLD CABIN) (Citation: Unit 42 TA551 Jan 2021) (Citation: Unit 42 Valak July 2020)	Modify Registry, Windows Credential Manager, Process Discovery, NTFS File Attributes, Obfuscated Files or Information, Regsvr32, Web Protocols, Multi-Stage Channels, Fallback Channels, Security Software Discovery, Malicious File, Screen Capture, System Owner/User Discovery, Dynamic Data Exchange, JavaScript, System Information Discovery, Spearphishing Attachment, Automated Collection, Ingress Tool Transfer, Exfiltration Over C2 Channel, Credentials in Registry, System Network Configuration Discovery, Remote Email Collection, Software Packing, Query Registry, Scheduled Task, Deobfuscate/Decode Files or Information, Standard Encoding, Domain Account, Local Account, PowerShell, Windows Management Instrumentation, Spearphishing Link
S0650	QakBot	(Citation: ATT QakBot April 2021) (Citation: Kaspersky QakBot September 2021) (Citation: Pinkslipbot) (Citation: QBot) (Citation: QuackBot) (Citation: Red Canary Qbot) (Citation: Trend Micro Qakbot December 2020)	Regsvr32, System Checks, Remote System Discovery, Data from Local System, External Proxy, PowerShell, Windows Command Shell, Security Software Discovery, Native API, Binary Padding, Domain Generation Algorithms, File and Directory Discovery, Registry Run Keys / Startup Folder, Masquerading, Network Share Discovery, Process Hollowing, JavaScript, Msiexec, Deobfuscate/Decode Files or Information, Local Email Collection, Malicious Link, System Time Discovery, Malicious File, Exfiltration Over C2 Channel, System Owner/User Discovery, Internet Connection Discovery, Symmetric Cryptography, Web Protocols, Code Signing, Obfuscated Files or Information, Exploitation of Remote Services, Process Discovery, Local Groups, System Network Configuration Discovery, Steal Web Session Cookie, Process Injection, Domain Trust Discovery, Local Data Staging, Brute Force, Browser Session Hijacking, Time Based Evasion, Ingress Tool Transfer, Peripheral Device Discovery, Non-Application Layer Protocol, Spearphishing Link, Indicator Removal from Tools, Modify Registry, Spearphishing Attachment, Keylogging, Replication Through Removable Media, Standard Encoding, Visual Basic, System Information Discovery, Windows Management Instrumentation, Application Window Discovery, Software Discovery, System Network Connections Discovery, Scheduled Task, Rundll32, Protocol Tunneling, Credentials from Web Browsers, Software Packing, Disable or Modify Tools, File Deletion

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

TA551

Associated Group Descriptions

Techniques Used

Software

References