Skip to content

G0092 TA505

TA505 is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.123

Item Value
ID G0092
Associated Names Hive0065
Version 1.3
Created 28 May 2019
Last Modified 01 December 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Hive0065 4

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.003 Email Account TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.7
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols TA505 has used HTTP to communicate with C2 nodes.4
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell TA505 has used PowerShell to download and execute malware and reconnaissance scripts.1856
enterprise T1059.003 Windows Command Shell TA505 has executed commands using cmd.exe.7
enterprise T1059.005 Visual Basic TA505 has used VBS for code execution.1274
enterprise T1059.007 JavaScript TA505 has used JavaScript for code execution.12
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers TA505 has used malware to gather credentials from Internet Explorer.1
enterprise T1486 Data Encrypted for Impact TA505 has used a wide variety of ransomware, such as Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.1
enterprise T1568 Dynamic Resolution -
enterprise T1568.001 Fast Flux DNS TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.7
enterprise T1105 Ingress Tool Transfer TA505 has downloaded additional malware to execute on victim systems.568
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange TA505 has leveraged malicious Word documents that abused DDE.2
enterprise T1027 Obfuscated Files or Information TA505 has password-protected malicious Word documents and used base64 encoded PowerShell commands.156
enterprise T1027.002 Software Packing TA505 has used UPX to obscure malicious code.4
enterprise T1069 Permission Groups Discovery TA505 has used TinyMet to enumerate members of privileged groups.4 TA505 has also run net group /domain.7
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment TA505 has used spearphishing emails with malicious attachments to initially compromise victims.1235897104
enterprise T1566.002 Spearphishing Link TA505 has sent spearphishing emails containing malicious links.13710
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection TA505 has been seen injecting a DLL into winword.exe.4
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing TA505 has signed payloads with code signing certificates from Thawte and Sectigo.567
enterprise T1553.005 Mark-of-the-Web Bypass TA505 has used .iso files to deploy malicious .lnk files.11
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec TA505 has used msiexec to download and execute malicious Windows Installer files.567
enterprise T1218.011 Rundll32 TA505 has leveraged rundll32.exe to execute malicious DLLs.56
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files TA505 has used malware to gather credentials from FTP clients and Outlook.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. 123589710
enterprise T1204.002 Malicious File TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. 1235897104
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts TA505 has used stolen domain admin accounts to compromise additional hosts.4

Software

ID Name References Techniques
S0611 Clop - Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact Deobfuscate/Decode Files or Information File and Directory Discovery Disable or Modify Tools:Impair Defenses Inhibit System Recovery Modify Registry Native API Network Share Discovery Software Packing:Obfuscated Files or Information Process Discovery Service Stop Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls Msiexec:System Binary Proxy Execution System Language Discovery:System Location Discovery Time Based Evasion:Virtualization/Sandbox Evasion
S0384 Dridex - Web Protocols:Application Layer Protocol Browser Session Hijacking Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Native API Obfuscated Files or Information Multi-hop Proxy:Proxy Proxy Remote Access Software Software Discovery System Information Discovery Malicious File:User Execution
S0381 FlawedAmmyy - Web Protocols:Application Layer Protocol Commonly Used Port Data Obfuscation Symmetric Cryptography:Encrypted Channel Peripheral Device Discovery Local Groups:Permission Groups Discovery Security Software Discovery:Software Discovery System Information Discovery System Owner/User Discovery Windows Management Instrumentation
S0383 FlawedGrace - Commonly Used Port Obfuscated Files or Information
S0460 Get2 - Web Protocols:Application Layer Protocol Command and Scripting Interpreter Process Discovery Dynamic-link Library Injection:Process Injection System Information Discovery System Owner/User Discovery
S0039 Net - Domain Account:Account Discovery Local Account:Account Discovery Domain Account:Create Account Local Account:Create Account Network Share Connection Removal:Indicator Removal on Host Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0461 SDBbot - Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Application Shimming:Event Triggered Execution Image File Execution Options Injection:Event Triggered Execution File and Directory Discovery Indicator Removal on Host File Deletion:Indicator Removal on Host Ingress Tool Transfer Non-Application Layer Protocol Software Packing:Obfuscated Files or Information Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Proxy Remote Desktop Protocol:Remote Services System Information Discovery System Network Configuration Discovery System Owner/User Discovery Video Capture
S0382 ServHelper - Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Commonly Used Port Local Account:Create Account Asymmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal on Host Ingress Tool Transfer Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery
S0266 TrickBot - Local Account:Account Discovery Email Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Credential Stuffing:Brute Force Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Password Managers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Domain Trust Discovery Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Exploitation of Remote Services Fallback Channels File and Directory Discovery Firmware Corruption Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Credential API Hooking:Input Capture Component Object Model:Inter-Process Communication Masquerading Modify Registry Native API Network Share Discovery Non-Standard Port Obfuscated Files or Information Software Packing:Obfuscated Files or Information Permission Groups Discovery Spearphishing Attachment:Phishing Spearphishing Link:Phishing Bootkit:Pre-OS Boot Process Discovery Process Injection Process Hollowing:Process Injection External Proxy:Proxy Remote Access Software VNC:Remote Services Remote System Discovery Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Service Discovery Credentials In Files:Unsecured Credentials Credentials in Registry:Unsecured Credentials Malicious File:User Execution Time Based Evasion:Virtualization/Sandbox Evasion

References


  1. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. 

  2. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019. 

  3. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  4. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. 

  5. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. 

  6. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. 

  7. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. 

  8. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019. 

  9. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. 

  10. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  11. Trend Micro. (2019, August 27). TA505: Variety in Use of ServHelper and FlawedAmmyy. Retrieved February 22, 2021. 

  12. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021. 

  13. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021. 

Back to top