G1037 TA577

TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023.¹

Item	Value
ID	G1037
Associated Names
Version	1.0
Created	17 September 2024
Last Modified	17 September 2024
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.003	Windows Command Shell	TA577 has used BAT files in malware execution chains.¹
enterprise	T1059.007	JavaScript	TA577 has used JavaScript to execute additional malicious payloads.¹
enterprise	T1586	Compromise Accounts	-
enterprise	T1586.002	Email Accounts	TA577 has sent thread hijacked messages from compromised emails.¹
enterprise	T1027	Obfuscated Files or Information	-
enterprise	T1027.009	Embedded Payloads	TA577 has used LNK files to execute embedded DLLs.¹
enterprise	T1566	Phishing	-
enterprise	T1566.002	Spearphishing Link	TA577 has sent emails containing links to malicious JavaScript files.¹
enterprise	T1204	User Execution	-
enterprise	T1204.001	Malicious Link	TA577 has lured users into executing malicious JavaScript files by sending malicious links via email.¹

Software

ID	Name	References	Techniques
S1160	Latrodectus	¹	Domain Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Debugger Evasion Deobfuscate/Decode Files or Information Domain Trust Discovery Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery NTFS File Attributes:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Component Object Model:Inter-Process Communication Match Legitimate Resource Name or Location:Masquerading Multi-Stage Channels Native API Network Share Discovery Dynamic API Resolution:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Domain Groups:Permission Groups Discovery Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Discovery VNC:Remote Services Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Rundll32:System Binary Proxy Execution Msiexec:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Shutdown/Reboot Malicious Link:User Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Web Service Windows Management Instrumentation
S1145	Pikabot	¹	Local Account:Account Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Debugger Evasion Deobfuscate/Decode Files or Information Domain Trust Discovery Symmetric Cryptography:Encrypted Channel Environmental Keying:Execution Guardrails Exfiltration Over C2 Channel Native API Non-Standard Port Fileless Storage:Obfuscated Files or Information Steganography:Obfuscated Files or Information Embedded Payloads:Obfuscated Files or Information Thread Execution Hijacking:Process Injection Portable Executable Injection:Process Injection Reflective Code Loading System Information Discovery System Network Configuration Discovery System Checks:Virtualization/Sandbox Evasion
S0650	QakBot	¹	Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Brute Force PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Domain Trust Discovery Domain Generation Algorithms:Dynamic Resolution Local Email Collection:Email Collection Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Exploitation of Remote Services File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL:Hijack Execution Flow Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Masquerade File Type:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Binary Padding:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information HTML Smuggling:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information Obfuscated Files or Information Indicator Removal from Tools:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Peripheral Device Discovery Local Groups:Permission Groups Discovery Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Process Hollowing:Process Injection Process Injection Protocol Tunneling External Proxy:Proxy Remote System Discovery Replication Through Removable Media Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Software Discovery Steal Web Session Cookie Code Signing:Subvert Trust Controls Mark-of-the-Web Bypass:Subvert Trust Controls Regsvr32:System Binary Proxy Execution Msiexec:System Binary Proxy Execution Rundll32:System Binary Proxy Execution System Information Discovery Internet Connection Discovery:System Network Configuration Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery Malicious Link:User Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Time Based Checks:Virtualization/Sandbox Evasion Windows Management Instrumentation

References

Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. ↩↩↩↩↩↩↩↩↩↩