G0127 TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. ³ The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. ²

Item	Value
ID	G0127
Associated Names	GOLD CABIN, Shathak
Version	1.2
Created	19 March 2021
Last Modified	22 March 2023
Navigation Layer	View In ATT&CK® Navigator

Associated Group Descriptions

Name	Description
GOLD CABIN	³
Shathak	¹²

Techniques Used

Domain	ID	Name	Use
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.001	Web Protocols	TA551 has used HTTP for C2 communications.¹
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.003	Windows Command Shell	TA551 has used `cmd.exe` to execute commands.²
enterprise	T1132	Data Encoding	-
enterprise	T1132.001	Standard Encoding	TA551 has used encoded ASCII text for initial C2 communications.¹
enterprise	T1568	Dynamic Resolution	-
enterprise	T1568.002	Domain Generation Algorithms	TA551 has used a DGA to generate URLs from executed macros.²³
enterprise	T1589	Gather Victim Identity Information	-
enterprise	T1589.002	Email Addresses	TA551 has used spoofed company emails that were acquired from email clients on previously infected hosts to target other individuals.²
enterprise	T1105	Ingress Tool Transfer	TA551 has retrieved DLLs and installer binaries for malware execution from C2.²
enterprise	T1036	Masquerading	TA551 has masked malware DLLs as dat and jpg files.²
enterprise	T1027	Obfuscated Files or Information	-
enterprise	T1027.003	Steganography	TA551 has hidden encoded data for malware DLLs in a PNG.²
enterprise	T1027.010	Command Obfuscation	TA551 has used obfuscated variable names in a JavaScript configuration file.¹
enterprise	T1566	Phishing	-
enterprise	T1566.001	Spearphishing Attachment	TA551 has sent spearphishing attachments with password protected ZIP files.¹²³
enterprise	T1218	System Binary Proxy Execution	-
enterprise	T1218.005	Mshta	TA551 has used mshta.exe to execute malicious payloads.²
enterprise	T1218.010	Regsvr32	TA551 has used regsvr32.exe to load malicious DLLs.¹
enterprise	T1218.011	Rundll32	TA551 has used rundll32.exe to load malicious DLLs.²
enterprise	T1204	User Execution	-
enterprise	T1204.002	Malicious File	TA551 has prompted users to enable macros within spearphishing attachments to install malware.²

Software

ID	Name	References	Techniques
S0483	IcedID	⁵¹²³	Domain Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Asymmetric Cryptography:Encrypted Channel Ingress Tool Transfer Native API Obfuscated Files or Information Steganography:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Permission Groups Discovery Spearphishing Attachment:Phishing Asynchronous Procedure Call:Process Injection Scheduled Task:Scheduled Task/Job Msiexec:System Binary Proxy Execution System Information Discovery Malicious File:User Execution Windows Management Instrumentation
S0650	QakBot	⁴	Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Brute Force JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Domain Trust Discovery Domain Generation Algorithms:Dynamic Resolution Local Email Collection:Email Collection Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Exploitation of Remote Services File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Masquerade File Type:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Obfuscated Files or Information HTML Smuggling:Obfuscated Files or Information Peripheral Device Discovery Local Groups:Permission Groups Discovery Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Process Injection Process Hollowing:Process Injection Protocol Tunneling External Proxy:Proxy Remote System Discovery Replication Through Removable Media Scheduled Task:Scheduled Task/Job Software Discovery Security Software Discovery:Software Discovery Steal Web Session Cookie Code Signing:Subvert Trust Controls Mark-of-the-Web Bypass:Subvert Trust Controls Rundll32:System Binary Proxy Execution Msiexec:System Binary Proxy Execution Regsvr32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery Internet Connection Discovery:System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery Malicious Link:User Execution Malicious File:User Execution Time Based Evasion:Virtualization/Sandbox Evasion System Checks:Virtualization/Sandbox Evasion Windows Management Instrumentation
S0386	Ursnif	⁵¹²³	Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data Encoding Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Exfiltration Over C2 Channel Hidden Window:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Credential API Hooking:Input Capture Component Object Model:Inter-Process Communication Match Legitimate Name or Location:Masquerading Modify Registry Native API Command Obfuscation:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Process Hollowing:Process Injection Thread Local Storage:Process Injection Proxy Multi-hop Proxy:Proxy Query Registry Replication Through Removable Media Screen Capture System Information Discovery System Service Discovery Taint Shared Content Time Based Evasion:Virtualization/Sandbox Evasion Windows Management Instrumentation
S0476	Valak	⁵¹²³	Local Account:Account Discovery Domain Account:Account Discovery Web Protocols:Application Layer Protocol Automated Collection PowerShell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Windows Credential Manager:Credentials from Password Stores Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Remote Email Collection:Email Collection Exfiltration Over C2 Channel Fallback Channels NTFS File Attributes:Hide Artifacts Ingress Tool Transfer Dynamic Data Exchange:Inter-Process Communication Modify Registry Multi-Stage Channels Fileless Storage:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Obfuscated Files or Information Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Discovery Query Registry Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Regsvr32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery Credentials in Registry:Unsecured Credentials Malicious File:User Execution Windows Management Instrumentation

G0127 TA551

Associated Group Descriptions

Techniques Used

Software

References