TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. ^[1] The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. ^[2]

ID: G0127

ⓘ

Associated Groups: GOLD CABIN, Shathak

Contributors: Shuhei Sasada, Cyber Defense Institute, Inc; Ryo Tamura, SecureBrain Corporation; Shotaro Hamamoto, NEC Solution Innovators, Ltd; Yusuke Niwa, ITOCHU Corporation; Takuma Matsumoto, LAC Co., Ltd

Version: 1.2

Created: 19 March 2021

Last Modified: 22 March 2023

Associated Group Descriptions

Name	Description
GOLD CABIN	^[1]
Shathak	^[3]^[2]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1036		伪装	TA551 has masked malware DLLs as dat and jpg files.^[2]
Enterprise	T1568	.002	动态解析: Domain Generation Algorithms	TA551 has used a DGA to generate URLs from executed macros.^[2]^[1]
Enterprise	T1059	.003	命令与脚本解释器: Windows Command Shell	TA551 has used `cmd.exe` to execute commands.^[2]
Enterprise	T1071	.001	应用层协议: Web Protocols	TA551 has used HTTP for C2 communications.^[3]
Enterprise	T1589	.002	收集受害者身份信息: Email Addresses	TA551 has used spoofed company emails that were acquired from email clients on previously infected hosts to target other individuals.^[2]
Enterprise	T1132	.001	数据编码: Standard Encoding	TA551 has used encoded ASCII text for initial C2 communications.^[3]
Enterprise	T1027	.003	混淆文件或信息: Steganography	TA551 has hidden encoded data for malware DLLs in a PNG.^[2]
		.010	混淆文件或信息: Command Obfuscation	TA551 has used obfuscated variable names in a JavaScript configuration file.^[3]
Enterprise	T1204	.002	用户执行: Malicious File	TA551 has prompted users to enable macros within spearphishing attachments to install malware.^[2]
Enterprise	T1218	.005	系统二进制代理执行: Mshta	TA551 has used mshta.exe to execute malicious payloads.^[2]
		.010	系统二进制代理执行: Regsvr32	TA551 has used regsvr32.exe to load malicious DLLs.^[3]
		.011	系统二进制代理执行: Rundll32	TA551 has used rundll32.exe to load malicious DLLs.^[2]
Enterprise	T1105		输入工具传输	TA551 has retrieved DLLs and installer binaries for malware execution from C2.^[2]
Enterprise	T1566	.001	钓鱼: Spearphishing Attachment	TA551 has sent spearphishing attachments with password protected ZIP files.^[3]^[2]^[1]

Software

ID	Name	References	Techniques
S0483	IcedID	^[4]^[3]^[2]^[1]	Windows管理规范, 伪装: Match Legitimate Name or Location, 加密通道: Asymmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Visual Basic, 域信任发现, 应用层协议: Web Protocols, 替代协议渗出: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, 本机API, 权限组发现, 浏览器会话劫持, 浏览器攻击, 混淆文件或信息: Embedded Payloads, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Steganography, 混淆文件或信息: Software Packing, 用户执行: Malicious File, 系统二进制代理执行: Msiexec, 系统二进制代理执行: Rundll32, 系统位置发现: System Language Discovery, 系统信息发现, 系统网络配置发现, 网络共享发现, 虚拟化/沙盒规避, 账号发现: Domain Account, 软件发现: Security Software Discovery, 输入工具传输, 进程注入: Process Hollowing, 进程注入: Asynchronous Procedure Call, 钓鱼: Spearphishing Attachment, 预定任务/作业: Scheduled Task
S0650	QakBot	^[5]	Windows管理规范, 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 代理: External Proxy, 伪装: Masquerade File Type, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 动态解析: Domain Generation Algorithms, 劫持执行流: DLL Side-Loading, 协议隧道, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 域信任发现, 外围设备发现, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 应用窗口发现, 数据分段: Local Data Staging, 数据编码: Standard Encoding, 文件和目录发现, 暴力破解, 本机API, 权限组发现: Local Groups, 浏览器会话劫持, 混淆文件或信息: Binary Padding, 混淆文件或信息: Fileless Storage, 混淆文件或信息: HTML Smuggling, 混淆文件或信息: Command Obfuscation, 混淆文件或信息, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息: Software Packing, 用户执行: Malicious Link, 用户执行: Malicious File, 电子邮件收集: Local Email Collection, 移除指标: File Deletion, 窃取Web会话Cookie, 系统二进制代理执行: Regsvr32, 系统二进制代理执行: Msiexec, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络连接发现, 系统网络配置发现: Internet Connection Discovery, 系统网络配置发现, 网络共享发现, 虚拟化/沙盒规避: System Checks, 虚拟化/沙盒规避: Time Based Evasion, 软件发现: Security Software Discovery, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Process Hollowing, 进程注入, 远程服务漏洞利用, 远程系统发现, 通过C2信道渗出, 通过可移动媒体复制, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Files and Directories, 非应用层协议, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing, 颠覆信任控制: Mark-of-the-Web Bypass
S0386	Ursnif	^[4]^[3]^[2]^[1]	Windows管理规范, 从本地系统获取数据, 代理: Multi-hop Proxy, 代理, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 动态解析: Domain Generation Algorithms, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Visual Basic, 屏幕捕获, 应用层协议: Web Protocols, 数据分段: Local Data Staging, 数据编码, 本机API, 查询注册表, 污染共享内容, 浏览器会话劫持, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Command Obfuscation, 移除指标: File Deletion, 系统信息发现, 系统服务发现, 虚拟化/沙盒规避: Time Based Evasion, 输入工具传输, 输入捕获: Credential API Hooking, 进程发现, 进程注入: Thread Local Storage, 进程注入: Process Hollowing, 进程间通信: Component Object Model, 通过C2信道渗出, 通过可移动媒体复制, 隐藏伪装: Hidden Window
S0476	Valak	^[4]^[3]^[2]^[1]	Windows管理规范, 从密码存储中获取凭证: Windows Credential Manager, 修改注册表, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: PowerShell, 回退信道, 多阶段信道, 屏幕捕获, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 未加密凭证: Credentials in Registry, 查询注册表, 混淆文件或信息, 混淆文件或信息: Software Packing, 混淆文件或信息: Fileless Storage, 用户执行: Malicious File, 电子邮件收集: Remote Email Collection, 系统二进制代理执行: Regsvr32, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 自动化收集, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 进程间通信: Dynamic Data Exchange, 通过C2信道渗出, 钓鱼: Spearphishing Attachment, 钓鱼: Spearphishing Link, 隐藏伪装: NTFS File Attributes, 预定任务/作业: Scheduled Task

TA551

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References