1. Home
  2. Groups
  3. TA578

TA578

TA578 is a threat actor that has used contact forms and email to initiate communications with victims and to distribute malware including Latrodectus, IcedID, and Bumblebee.[1][2]

ID: G1038
Version: 1.0
Created: 17 September 2024
Last Modified: 17 September 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .007 命令与脚本解释器: JavaScript

TA578 has used JavaScript files in malware execution chains.[1]
Enterprise T1594 搜索受害者拥有的网站

TA578 has filled out contact forms on victims' websites to direct them to adversary-controlled URLs.[1]
Enterprise T1204 .001 用户执行: Malicious Link

TA578 has placed malicious links in contact forms on victim sites, often spoofing a copyright complaint, to redirect users to malicious file downloads.[1]
Enterprise T1583 .006 获取基础设施: Web Services

TA578 has used Google Firebase to host malicious scripts.[1]

Software

ID Name References Techniques
S1039 Bumblebee [1] Windows管理规范, 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 共享模块, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 回退信道, 归档收集数据, 数据编码: Standard Encoding, 本机API, 查询注册表, 混淆文件或信息, 滥用权限提升控制机制: Bypass User Account Control, 用户执行: Malicious Link, 用户执行: Malicious File, 移除指标: File Deletion, 系统二进制代理执行: Odbcconf, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 网络服务, 虚拟化/沙盒规避: System Checks, 虚拟化/沙盒规避: Time Based Evasion, 虚拟化/沙盒规避, 调试器规避, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Asynchronous Procedure Call, 进程注入, 进程间通信: Component Object Model, 通过C2信道渗出, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment, 预定任务/作业: Scheduled Task
S0483 IcedID [1] Windows管理规范, 伪装: Match Legitimate Name or Location, 加密通道: Asymmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Visual Basic, 域信任发现, 应用层协议: Web Protocols, 替代协议渗出: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, 本机API, 权限组发现, 浏览器会话劫持, 浏览器攻击, 混淆文件或信息: Embedded Payloads, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Steganography, 混淆文件或信息: Software Packing, 用户执行: Malicious File, 系统二进制代理执行: Msiexec, 系统二进制代理执行: Rundll32, 系统位置发现: System Language Discovery, 系统信息发现, 系统网络配置发现, 网络共享发现, 虚拟化/沙盒规避, 账号发现: Domain Account, 软件发现: Security Software Discovery, 输入工具传输, 进程注入: Process Hollowing, 进程注入: Asynchronous Procedure Call, 钓鱼: Spearphishing Attachment, 预定任务/作业: Scheduled Task
S1160 Latrodectus [1][2] Windows管理规范, 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: JavaScript, 域信任发现, 多阶段信道, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 权限组发现: Domain Groups, 混淆文件或信息: Dynamic API Resolution, 混淆文件或信息: Software Packing, 混淆文件或信息: Binary Padding, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious Link, 用户执行: Malicious File, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统二进制代理执行: Msiexec, 系统信息发现, 系统关机/重启, 系统所有者/用户发现, 系统网络配置发现, 网络共享发现, 网络服务, 虚拟化/沙盒规避: System Checks, 调试器规避, 账号发现: Domain Account, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 进程间通信: Component Object Model, 远程服务: VNC, 通过C2信道渗出, 钓鱼: Spearphishing Attachment, 钓鱼: Spearphishing Link, 隐藏伪装: NTFS File Attributes, 预定任务/作业: Scheduled Task

References

  1. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  1. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.