Skip to content

G0127 TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. 1 The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. 2

Item Value
ID G0127
Associated Names GOLD CABIN, Shathak
Version 1.1
Created 19 March 2021
Last Modified 30 September 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
GOLD CABIN 1
Shathak 32

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols TA551 has used HTTP for C2 communications.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell TA551 has used cmd.exe to execute commands.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding TA551 has used encoded ASCII text for initial C2 communications.3
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms TA551 has used a DGA to generate URLs from executed macros.21
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses TA551 has used spoofed company emails that were acquired from email clients on previously infected hosts to target other individuals.2
enterprise T1105 Ingress Tool Transfer TA551 has retrieved DLLs and installer binaries for malware execution from C2.2
enterprise T1036 Masquerading TA551 has masked malware DLLs as dat and jpg files.2
enterprise T1027 Obfuscated Files or Information TA551 has used obfuscated variable names in a JavaScript configuration file.3
enterprise T1027.003 Steganography TA551 has hidden encoded data for malware DLLs in a PNG.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment TA551 has sent spearphishing attachments with password protected ZIP files.321
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta TA551 has used mshta.exe to execute malicious payloads.2
enterprise T1218.010 Regsvr32 TA551 has used regsvr32.exe to load malicious DLLs.3
enterprise T1218.011 Rundll32 TA551 has used rundll32.exe to load malicious DLLs.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File TA551 has prompted users to enable macros within spearphishing attachments to install malware.2

Software

ID Name References Techniques
S0483 IcedID - Domain Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Asymmetric Cryptography:Encrypted Channel Ingress Tool Transfer Native API Obfuscated Files or Information Software Packing:Obfuscated Files or Information Steganography:Obfuscated Files or Information Permission Groups Discovery Spearphishing Attachment:Phishing Asynchronous Procedure Call:Process Injection Scheduled Task:Scheduled Task/Job Msiexec:System Binary Proxy Execution System Information Discovery Malicious File:User Execution Windows Management Instrumentation
S0650 QakBot - Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Brute Force Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Domain Trust Discovery Domain Generation Algorithms:Dynamic Resolution Local Email Collection:Email Collection Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Exploitation of Remote Services File and Directory Discovery Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Binary Padding:Obfuscated Files or Information Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Software Packing:Obfuscated Files or Information Peripheral Device Discovery Local Groups:Permission Groups Discovery Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Process Injection Process Hollowing:Process Injection Protocol Tunneling External Proxy:Proxy Remote System Discovery Replication Through Removable Media Scheduled Task:Scheduled Task/Job Software Discovery Security Software Discovery:Software Discovery Steal Web Session Cookie Code Signing:Subvert Trust Controls Msiexec:System Binary Proxy Execution Regsvr32:System Binary Proxy Execution Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery Internet Connection Discovery:System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery Malicious Link:User Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Time Based Evasion:Virtualization/Sandbox Evasion Windows Management Instrumentation
S0386 Ursnif - Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data Encoding Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Exfiltration Over C2 Channel Hidden Window:Hide Artifacts File Deletion:Indicator Removal on Host Ingress Tool Transfer Credential API Hooking:Input Capture Component Object Model:Inter-Process Communication Match Legitimate Name or Location:Masquerading Modify Registry Native API Obfuscated Files or Information Process Discovery Process Hollowing:Process Injection Thread Local Storage:Process Injection Multi-hop Proxy:Proxy Proxy Query Registry Replication Through Removable Media Screen Capture System Information Discovery System Service Discovery Taint Shared Content Time Based Evasion:Virtualization/Sandbox Evasion Windows Management Instrumentation
S0476 Valak - Domain Account:Account Discovery Local Account:Account Discovery Web Protocols:Application Layer Protocol Automated Collection JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Credential Manager:Credentials from Password Stores Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Remote Email Collection:Email Collection Exfiltration Over C2 Channel Fallback Channels NTFS File Attributes:Hide Artifacts Ingress Tool Transfer Dynamic Data Exchange:Inter-Process Communication Modify Registry Multi-Stage Channels Obfuscated Files or Information Software Packing:Obfuscated Files or Information Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Discovery Query Registry Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Regsvr32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery Credentials in Registry:Unsecured Credentials Malicious File:User Execution Windows Management Instrumentation

References

Back to top