1. Home
  2. Groups
  3. TA505

TA505

TA505 is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.[1][2][3]

ID: G0092
Associated Groups: Hive0065
Version: 1.3
Created: 28 May 2019
Last Modified: 01 December 2021

Associated Group Descriptions

Name Description
Hive0065

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.[5]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TA505 has used HTTP to communicate with C2 nodes.[4]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TA505 has used PowerShell to download and execute malware and reconnaissance scripts.[1][6][7][8]
.003 Command and Scripting Interpreter: Windows Command Shell

TA505 has executed commands using cmd.exe.[5]
.005 Command and Scripting Interpreter: Visual Basic

TA505 has used VBS for code execution.[1][2][5][4]
.007 Command and Scripting Interpreter: JavaScript

TA505 has used JavaScript for code execution.[1][2]
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

TA505 has used malware to gather credentials from Internet Explorer.[1]
Enterprise T1486 Data Encrypted for Impact

TA505 has used a wide variety of ransomware, such as Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.[1]
Enterprise T1568 .001 Dynamic Resolution: Fast Flux DNS

TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.[5]
Enterprise T1105 Ingress Tool Transfer

TA505 has downloaded additional malware to execute on victim systems.[7][8][6]
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

TA505 has leveraged malicious Word documents that abused DDE.[2]
Enterprise T1027 Obfuscated Files or Information

TA505 has password-protected malicious Word documents and used base64 encoded PowerShell commands.[1][7][8]
.002 Software Packing

TA505 has used UPX to obscure malicious code.[4]
Enterprise T1069 Permission Groups Discovery

TA505 has used TinyMet to enumerate members of privileged groups.[4] TA505 has also run net group /domain.[5]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA505 has used spearphishing emails with malicious attachments to initially compromise victims.[1][2][3][7][6][9][5][10][4]
.002 Phishing: Spearphishing Link

TA505 has sent spearphishing emails containing malicious links.[1][3][5][10]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

TA505 has been seen injecting a DLL into winword.exe.[4]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

TA505 has signed payloads with code signing certificates from Thawte and Sectigo.[7][8][5]
.005 Subvert Trust Controls: Mark-of-the-Web Bypass

TA505 has used .iso files to deploy malicious .lnk files.[11]
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

TA505 has used msiexec to download and execute malicious Windows Installer files.[7][8][5]
.011 System Binary Proxy Execution: Rundll32

TA505 has leveraged rundll32.exe to execute malicious DLLs.[7][8]
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

TA505 has used malware to gather credentials from FTP clients and Outlook.[1]
Enterprise T1204 .001 User Execution: Malicious Link

TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [1][2][3][7][6][9][5][10]
.002 User Execution: Malicious File

TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [1][2][3][7][6][9][5][10][4]
Enterprise T1078 .002 Valid Accounts: Domain Accounts

TA505 has used stolen domain admin accounts to compromise additional hosts.[4]

Software

ID Name References Techniques
S0611 Clop [12][13] Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Inhibit System Recovery, Modify Registry, Native API, Network Share Discovery, Obfuscated Files or Information: Software Packing, Process Discovery, Service Stop, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Msiexec, System Location Discovery: System Language Discovery, Virtualization/Sandbox Evasion: Time Based Evasion
S0384 Dridex [1][2][4] Application Layer Protocol: Web Protocols, Browser Session Hijacking, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Native API, Obfuscated Files or Information, Proxy: Multi-hop Proxy, Proxy, Remote Access Software, Software Discovery, System Information Discovery, User Execution: Malicious File
S0381 FlawedAmmyy [9][5][10] Application Layer Protocol: Web Protocols, Commonly Used Port, Data Obfuscation, Encrypted Channel: Symmetric Cryptography, Peripheral Device Discovery, Permission Groups Discovery: Local Groups, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0383 FlawedGrace [3][5][10] Commonly Used Port, Obfuscated Files or Information
S0460 Get2 [10] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter, Process Discovery, Process Injection: Dynamic-link Library Injection, System Information Discovery, System Owner/User Discovery
S0039 Net [5] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Domain Account, Create Account: Local Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0461 SDBbot [10][4] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Deobfuscate/Decode Files or Information, Event Triggered Execution: Application Shimming, Event Triggered Execution: Image File Execution Options Injection, File and Directory Discovery, Indicator Removal on Host, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Non-Application Layer Protocol, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Proxy, Remote Services: Remote Desktop Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Video Capture
S0382 ServHelper [3][7][8][5] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Encrypted Channel: Asymmetric Cryptography, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, System Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery
S0266 TrickBot [1][4] Account Discovery: Local Account, Account Discovery: Email Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Brute Force: Credential Stuffing, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Password Managers, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, Fallback Channels, File and Directory Discovery, Firmware Corruption, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Credential API Hooking, Inter-Process Communication: Component Object Model, Masquerading, Modify Registry, Native API, Network Share Discovery, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Permission Groups Discovery, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Pre-OS Boot: Bootkit, Process Discovery, Process Injection, Process Injection: Process Hollowing, Proxy: External Proxy, Remote Access Software, Remote Services: VNC, Remote System Discovery, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Credentials in Registry, User Execution: Malicious File, Virtualization/Sandbox Evasion: Time Based Evasion

References

  1. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  2. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  3. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  4. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  5. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  6. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  7. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  1. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  2. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  3. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  4. Trend Micro. (2019, August 27). TA505: Variety in Use of ServHelper and FlawedAmmyy. Retrieved February 22, 2021.
  5. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.
  6. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.