Table of Contents
General description
Group's objectives
Tools
Target sectors
Target countries
Alternative group names
Reports by Positive Technologies and other researchers
MITRE ATT&CK techniques, used by the group
General description
The activity of the TA505 group was first discovered and described in 2014, but the group itself is believed to have been around since 2006. The group's victims feature companies from various sectors around the world. The group employs a wide range of tools, designed to handle any task. Phishing is the main means applied to penetrate an infrastructure. It finds its victims all over the world, avoiding the CIS. According to researchers, the group is presumed to be Russian-speaking. TA505 follows the latest trends, using the COVID-19 theme and ZeroLogon vulnerability in its attacks.
Group's objectives
Cash theft
Tools
- Banking Trojans
- Dridex
- Shifu
- Trickbot
- Zeus - RAT
- FlawedAmmyy
- FlawedGrace
- SDBbot
- BackNet
- RMS - Botnets
- Neutrino
- Amadey
- GameOver Zeus - Backdoor
- ServHelper
- FlowerPippi - Ransomware
- Locky
- Jaff
- GlobeImposter
- Rapid
- Clop/CryptoMix
- MINERBRIDE
- MINERBRIDE
- Bart
- DoppelPaymer
- Philadelphia
- Snatch - Web-shells
- DEWMODE - Stealers
- GraceWire
- Kegotip
- EmailStealer
- Pony - Frameworks
- Metasploit
- Cobalt Strike - Loaders
- AndroMut
- Rockloader
- Gelup
- Get2
- Quant
- Marap - Stagers
- TinyMet
Target sectors
- The finance sector
- The energy sector
- Pharmaceuticals
- Aerospace industry
- State sector
- Research companies
Target countries
- USA
- United Kingdom
- Canada
- South Korea
- China
- France
- Germany
- Hungary
- India
- Italy
- Mexico
- Pakistan
- Malawi
- Taiwan
- Ukraine
Alternative group names
- EvilCorp
- ATK 103
- SectorJ04
- Hive0065
- GRACEFUL SPIDER
- GOLD TAHOE
- Dudear, CHIMBORAZO
Reports by Positive Technologies and other researchers
- https://www.ptsecurity.com/ru-ru/about/news/ta505-stanovitsya-samoy-opasnoy-kiberprestupnoy-gruppirovkoy-v-mire/
- https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/operation-ta505-part1/
- https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/operation-ta505-part2/
- https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/operation-ta505-part3/
- https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/operation-ta505-part4/
- https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
- https://www.proofpoint.com/us/blog/threat-insight/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack
- https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader
- https://www.cyberscoop.com/ta505-south-korea-bank-phishing/
- https://www.bankinfosecurity.com/ta505-apt-group-returns-new-techniques-report-a-13678
- https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/
- https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/
- https://www.avira.com/en/blog/ta505-apt-group-targets-americas
- https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/
- https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
- https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/
- https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
- https://www.trendmicro.com/en_us/research/19/h/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy.html
- https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf
- https://yoroi.company/research/ta505-is-expanding-its-operations/
- https://yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/
- https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware
- https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
- https://apt.thaicert.or.th/cgi-bin/showcard.cgi?u=0ac7cc26-cb85-42f7-a2c1-41762b2e2541
MITRE ATT&CK techniques, used by the group
Show more
Download:
.csv
Share:
Get in touch
Fill in the form and our specialists
will contact you shortly
will contact you shortly