Skip to content

G0092 TA505

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.34561

Item Value
ID G0092
Associated Names Hive0065
Version 2.1
Created 28 May 2019
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Hive0065 2

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.003 Email Account TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.7
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains TA505 has registered domains to impersonate services such as Dropbox to distribute malware.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols TA505 has used HTTP to communicate with C2 nodes.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell TA505 has used PowerShell to download and execute malware and reconnaissance scripts.38910
enterprise T1059.003 Windows Command Shell TA505 has executed commands using cmd.exe.7
enterprise T1059.005 Visual Basic TA505 has used VBS for code execution.3472
enterprise T1059.007 JavaScript TA505 has used JavaScript for code execution.34
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers TA505 has used malware to gather credentials from Internet Explorer.3
enterprise T1486 Data Encrypted for Impact TA505 has used a wide variety of ransomware, such as Clop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.3
enterprise T1140 Deobfuscate/Decode Files or Information TA505 has decrypted packed DLLs with an XOR key.6
enterprise T1568 Dynamic Resolution -
enterprise T1568.001 Fast Flux DNS TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.7
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools TA505 has used malware to disable Windows Defender.1
enterprise T1105 Ingress Tool Transfer TA505 has downloaded additional malware to execute on victim systems.9108
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange TA505 has leveraged malicious Word documents that abused DDE.4
enterprise T1112 Modify Registry TA505 has used malware to disable Windows Defender through modification of the Registry.1
enterprise T1106 Native API TA505 has deployed payloads that use Windows API calls on a compromised host.1
enterprise T1027 Obfuscated Files or Information TA505 has password-protected malicious Word documents.3
enterprise T1027.002 Software Packing TA505 has used UPX to obscure malicious code.2
enterprise T1027.010 Command Obfuscation TA505 has used base64 encoded PowerShell commands.910
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware TA505 has used malware such as Azorult and Cobalt Strike in their operations.6
enterprise T1588.002 Tool TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit.6
enterprise T1069 Permission Groups Discovery TA505 has used TinyMet to enumerate members of privileged groups.2 TA505 has also run net group /domain.7
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment TA505 has used spearphishing emails with malicious attachments to initially compromise victims.34598127112
enterprise T1566.002 Spearphishing Link TA505 has sent spearphishing emails containing malicious links.35711
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection TA505 has been seen injecting a DLL into winword.exe.2
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware TA505 has staged malware on actor-controlled domains.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing TA505 has signed payloads with code signing certificates from Thawte and Sectigo.9107
enterprise T1553.005 Mark-of-the-Web Bypass TA505 has used .iso files to deploy malicious .lnk files.13
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec TA505 has used msiexec to download and execute malicious Windows Installer files.9107
enterprise T1218.011 Rundll32 TA505 has leveraged rundll32.exe to execute malicious DLLs.910
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files TA505 has used malware to gather credentials from FTP clients and Outlook.3
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. 3459812711
enterprise T1204.002 Malicious File TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. 34598127112
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts TA505 has used stolen domain admin accounts to compromise additional hosts.2

Software

ID Name References Techniques
S0552 AdFind 6 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S1025 Amadey 116 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Data from Local System Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Ingress Tool Transfer Modify Registry Native API Obfuscated Files or Information Security Software Discovery:Software Discovery Mark-of-the-Web Bypass:Subvert Trust Controls System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery
S0344 Azorult 6 Create Process with Token:Access Token Manipulation Credentials from Web Browsers:Credentials from Password Stores Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Process Discovery Process Hollowing:Process Injection Query Registry Screen Capture System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery Credentials In Files:Unsecured Credentials
S0521 BloodHound 6 Local Account:Account Discovery Domain Account:Account Discovery Archive Collected Data PowerShell:Command and Scripting Interpreter Domain Trust Discovery Group Policy Discovery Native API Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Owner/User Discovery
S0611 Clop 1415 Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact Deobfuscate/Decode Files or Information File and Directory Discovery Disable or Modify Tools:Impair Defenses Inhibit System Recovery Modify Registry Native API Network Share Discovery Software Packing:Obfuscated Files or Information Process Discovery Service Stop Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls Msiexec:System Binary Proxy Execution System Language Discovery:System Location Discovery Time Based Evasion:Virtualization/Sandbox Evasion
S0154 Cobalt Strike 6 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0384 Dridex 342 Web Protocols:Application Layer Protocol Browser Session Hijacking Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Native API Obfuscated Files or Information Multi-hop Proxy:Proxy Proxy Remote Access Software Software Discovery System Information Discovery Malicious File:User Execution
S0381 FlawedAmmyy 12711 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Data from Local System Data Obfuscation Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Input Capture Peripheral Device Discovery Local Groups:Permission Groups Discovery Screen Capture Security Software Discovery:Software Discovery Rundll32:System Binary Proxy Execution Msiexec:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Windows Management Instrumentation
S0383 FlawedGrace 5711 Obfuscated Files or Information
S0460 Get2 11 Web Protocols:Application Layer Protocol Command and Scripting Interpreter Process Discovery Dynamic-link Library Injection:Process Injection System Information Discovery System Owner/User Discovery
S0002 Mimikatz 6 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0039 Net 7 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0194 PowerSploit 6 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0461 SDBbot 112 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Application Shimming:Event Triggered Execution Image File Execution Options Injection:Event Triggered Execution Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Indicator Removal Ingress Tool Transfer Non-Application Layer Protocol Obfuscated Files or Information Software Packing:Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Proxy Remote Desktop Protocol:Remote Services Rundll32:System Binary Proxy Execution System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Video Capture
S0382 ServHelper 59107 Account Manipulation Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Local Account:Create Account Asymmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal Ingress Tool Transfer Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery
S0266 TrickBot 32 Local Account:Account Discovery Email Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Credential Stuffing:Brute Force Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Password Managers:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Domain Trust Discovery Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Exploitation of Remote Services Fallback Channels File and Directory Discovery Firmware Corruption Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Credential API Hooking:Input Capture Component Object Model:Inter-Process Communication Masquerading Modify Registry Native API Network Share Discovery Non-Standard Port Obfuscated Files or Information Software Packing:Obfuscated Files or Information Permission Groups Discovery Spearphishing Attachment:Phishing Spearphishing Link:Phishing Bootkit:Pre-OS Boot Process Discovery Process Hollowing:Process Injection Process Injection External Proxy:Proxy Remote Access Software VNC:Remote Services Remote System Discovery Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Service Discovery Credentials In Files:Unsecured Credentials Credentials in Registry:Unsecured Credentials Malicious File:User Execution Time Based Evasion:Virtualization/Sandbox Evasion

References

  1. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  2. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. 

  3. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. 

  4. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019. 

  5. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  6. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022. 

  7. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. 

  8. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019. 

  9. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. 

  10. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. 

  11. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  12. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. 

  13. Trend Micro. (2019, August 27). TA505: Variety in Use of ServHelper and FlawedAmmyy. Retrieved February 22, 2021. 

  14. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021. 

  15. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021. 

  16. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.