1. Home
  2. Groups
  3. TA505

TA505

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.[1][2][3][4][5]

ID: G0092
Associated Groups: Hive0065, Spandex Tempest, CHIMBORAZO
Version: 3.0
Created: 28 May 2019
Last Modified: 10 April 2024

Associated Group Descriptions

Name Description
Hive0065

[6]
Spandex Tempest

[7]
CHIMBORAZO

[7]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

TA505 has used malware to gather credentials from Internet Explorer.[1]
Enterprise T1112 修改注册表

TA505 has used malware to disable Windows Defender through modification of the Registry.[5]
Enterprise T1568 .001 动态解析: Fast Flux DNS

TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.[8]
Enterprise T1140 反混淆/解码文件或信息

TA505 has decrypted packed DLLs with an XOR key.[4]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

TA505 has used PowerShell to download and execute malware and reconnaissance scripts.[1][9][10][11]
.003 命令与脚本解释器: Windows Command Shell

TA505 has executed commands using cmd.exe.[8]
.005 命令与脚本解释器: Visual Basic

TA505 has used VBS for code execution.[1][2][8][6]
.007 命令与脚本解释器: JavaScript

TA505 has used JavaScript for code execution.[1][2]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

TA505 has used malware to disable Windows Defender.[5]
Enterprise T1071 .001 应用层协议: Web Protocols

TA505 has used HTTP to communicate with C2 nodes.[6]
Enterprise T1486 数据加密以实现影响

TA505 has used a wide variety of ransomware, such as Clop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.[1]
Enterprise T1608 .001 暂存能力: Upload Malware

TA505 has staged malware on actor-controlled domains.[5]
Enterprise T1078 .002 有效账户: Domain Accounts

TA505 has used stolen domain admin accounts to compromise additional hosts.[6]
Enterprise T1552 .001 未加密凭证: Credentials In Files

TA505 has used malware to gather credentials from FTP clients and Outlook.[1]
Enterprise T1106 本机API

TA505 has deployed payloads that use Windows API calls on a compromised host.[5]
Enterprise T1069 权限组发现

TA505 has used TinyMet to enumerate members of privileged groups.[6] TA505 has also run net group /domain.[8]
Enterprise T1027 .002 混淆文件或信息: Software Packing

TA505 has used UPX to obscure malicious code.[6]
.010 混淆文件或信息: Command Obfuscation

TA505 has used base64 encoded PowerShell commands.[10][11]
.013 混淆文件或信息: Encrypted/Encoded File

TA505 has password-protected malicious Word documents.[1]
Enterprise T1204 .001 用户执行: Malicious Link

TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [1][2][3][10][9][12][8][13]
.002 用户执行: Malicious File

TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [1][2][3][10][9][12][8][13][6]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

TA505 has used msiexec to download and execute malicious Windows Installer files.[10][11][8]
.011 系统二进制代理执行: Rundll32

TA505 has leveraged rundll32.exe to execute malicious DLLs.[10][11]
Enterprise T1583 .001 获取基础设施: Domains

TA505 has registered domains to impersonate services such as Dropbox to distribute malware.[5]
Enterprise T1588 .001 获取能力: Malware

TA505 has used malware such as Azorult and Cobalt Strike in their operations.[4]
.002 获取能力: Tool

TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit.[4]
Enterprise T1087 .003 账号发现: Email Account

TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.[8]
Enterprise T1105 输入工具传输

TA505 has downloaded additional malware to execute on victim systems.[10][11][9]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

TA505 has been seen injecting a DLL into winword.exe.[6]
Enterprise T1559 .002 进程间通信: Dynamic Data Exchange

TA505 has leveraged malicious Word documents that abused DDE.[2]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

TA505 has used spearphishing emails with malicious attachments to initially compromise victims.[1][2][3][10][9][12][8][13][6]
.002 钓鱼: Spearphishing Link

TA505 has sent spearphishing emails containing malicious links.[1][3][8][13]
Enterprise T1553 .002 颠覆信任控制: Code Signing

TA505 has signed payloads with code signing certificates from Thawte and Sectigo.[10][11][8]
.005 颠覆信任控制: Mark-of-the-Web Bypass

TA505 has used .iso files to deploy malicious .lnk files.[14]

Software

ID Name References Techniques
S0552 AdFind [4] 域信任发现, 权限组发现: Domain Groups, 系统网络配置发现, 账号发现: Domain Account, 远程系统发现
S1025 Amadey [5][15] 从本地系统获取数据, 修改注册表, 动态解析: Fast Flux DNS, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 应用层协议: Web Protocols, 文件和目录发现, 本机API, 混淆文件或信息, 系统位置发现, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 软件发现: Security Software Discovery, 输入工具传输, 通过C2信道渗出, 颠覆信任控制: Mark-of-the-Web Bypass
S0344 Azorult [4] 从密码存储中获取凭证: Credentials from Web Browsers, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 屏幕捕获, 文件和目录发现, 未加密凭证: Credentials In Files, 查询注册表, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 访问令牌操控: Create Process with Token, 输入工具传输, 进程发现, 进程注入: Process Hollowing
S0521 BloodHound [4] 命令与脚本解释器: PowerShell, 域信任发现, 密码策略发现, 归档收集数据, 本机API, 权限组发现: Domain Groups, 权限组发现: Local Groups, 系统所有者/用户发现, 组策略发现, 账号发现: Domain Account, 账号发现: Local Account, 远程系统发现
S0611 Clop [16][17] 修改注册表, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 数据加密以实现影响, 文件和目录发现, 服务停止, 本机API, 混淆文件或信息: Software Packing, 系统二进制代理执行: Msiexec, 系统位置发现: System Language Discovery, 系统恢复抑制, 网络共享发现, 虚拟化/沙盒规避: Time Based Evasion, 软件发现: Security Software Discovery, 进程发现, 颠覆信任控制: Code Signing
S0154 Cobalt Strike [4] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0384 Dridex [1][2][6] 代理, 代理: Multi-hop Proxy, 加密通道: Symmetric Cryptography, 加密通道: Asymmetric Cryptography, 劫持执行流: DLL Side-Loading, 应用层协议: Web Protocols, 本机API, 浏览器会话劫持, 混淆文件或信息, 用户执行: Malicious File, 系统二进制代理执行: Regsvr32, 系统信息发现, 软件发现, 远程访问软件, 预定任务/作业: Scheduled Task
S0381 FlawedAmmyy [12][8][13] Windows管理规范, 从本地系统获取数据, 剪贴板数据, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 外围设备发现, 屏幕捕获, 应用层协议: Web Protocols, 数据混淆, 权限组发现: Local Groups, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统二进制代理执行: Msiexec, 系统信息发现, 系统所有者/用户发现, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获, 通过C2信道渗出
S0383 FlawedGrace [3][8][13] 混淆文件或信息: Encrypted/Encoded File
S0460 Get2 [13] 命令与脚本解释器, 应用层协议: Web Protocols, 系统信息发现, 系统所有者/用户发现, 进程发现, 进程注入: Dynamic-link Library Injection
S0002 Mimikatz [4] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [8] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0194 PowerSploit [4] Windows管理规范, 从密码存储中获取凭证: Windows Credential Manager, 从本地系统获取数据, 创建或修改系统进程: Windows Service, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: DLL Search Order Hijacking, 劫持执行流: Path Interception by Search Order Hijacking, 反射性代码加载, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Security Support Provider, 命令与脚本解释器: PowerShell, 域信任发现, 屏幕捕获, 操作系统凭证转储: LSASS Memory, 未加密凭证: Credentials in Registry, 未加密凭证: Group Policy Preferences, 查询注册表, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息: Command Obfuscation, 窃取或伪造Kerberos票据: Kerberoasting, 访问令牌操控, 账号发现: Local Account, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 音频捕获, 预定任务/作业: Scheduled Task
S0461 SDBbot [13][6] 事件触发执行: Application Shimming, 事件触发执行: Image File Execution Options Injection, 从本地系统获取数据, 代理, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 文件和目录发现, 混淆文件或信息: Software Packing, 混淆文件或信息, 移除指标, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统位置发现, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 视频捕获, 输入工具传输, 进程发现, 进程注入: Dynamic-link Library Injection, 远程服务: Remote Desktop Protocol, 通过C2信道渗出, 非应用层协议
S0382 ServHelper [3][10][11][8] 伪装: Masquerade Account Name, 创建账户: Local Account, 加密通道: Asymmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 应用层协议: Web Protocols, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 账号操控: Additional Local or Domain Groups, 输入工具传输, 远程服务: Remote Desktop Protocol, 预定任务/作业: Scheduled Task
S0266 TrickBot [1][6] 从密码存储中获取凭证: Password Managers, 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 代理: External Proxy, 伪装, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 回退信道, 固件篡改, 域信任发现, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 文件和目录发现, 暴力破解: Credential Stuffing, 未加密凭证: Credentials In Files, 未加密凭证: Credentials in Registry, 本机API, 权限组发现, 浏览器会话劫持, 混淆文件或信息, 混淆文件或信息: Software Packing, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious File, 系统信息发现, 系统所有者/用户发现, 系统服务发现, 系统网络配置发现, 网络共享发现, 虚拟化/沙盒规避: Time Based Evasion, 账号发现: Local Account, 账号发现: Email Account, 输入工具传输, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 进程注入: Process Hollowing, 进程间通信: Component Object Model, 远程服务: VNC, 远程服务漏洞利用, 远程系统发现, 远程访问软件, 通过C2信道渗出, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Window, 非标准端口, 预定任务/作业: Scheduled Task, 预操作系统引导: Bootkit, 颠覆信任控制: Code Signing

References

  1. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  2. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  3. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  4. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
  5. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  6. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  7. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  8. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  9. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  1. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  2. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024..
  3. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  4. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  5. Trend Micro. (2019, August 27). TA505: Variety in Use of ServHelper and FlawedAmmyy. Retrieved February 22, 2021.
  6. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  7. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.
  8. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.