G1038 TA578

TA578 is a threat actor that has used contact forms and email to initiate communications with victims and to distribute malware including Latrodectus, IcedID, and Bumblebee.²¹

Item	Value
ID	G1038
Associated Names
Version	1.0
Created	17 September 2024
Last Modified	17 September 2024
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1583	Acquire Infrastructure	-
enterprise	T1583.006	Web Services	TA578 has used Google Firebase to host malicious scripts.²
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.007	JavaScript	TA578 has used JavaScript files in malware execution chains.²
enterprise	T1594	Search Victim-Owned Websites	TA578 has filled out contact forms on victims’ websites to direct them to adversary-controlled URLs.²
enterprise	T1204	User Execution	-
enterprise	T1204.001	Malicious Link	TA578 has placed malicious links in contact forms on victim sites, often spoofing a copyright complaint, to redirect users to malicious file downloads.²

Software

ID	Name	References	Techniques
S1039	Bumblebee	²	Bypass User Account Control:Abuse Elevation Control Mechanism Archive Collected Data Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Debugger Evasion Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Fallback Channels File Deletion:Indicator Removal Ingress Tool Transfer Component Object Model:Inter-Process Communication Match Legitimate Resource Name or Location:Masquerading Native API Obfuscated Files or Information Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Dynamic-link Library Injection:Process Injection Asynchronous Procedure Call:Process Injection Process Injection Query Registry Scheduled Task:Scheduled Task/Job Shared Modules Security Software Discovery:Software Discovery Odbcconf:System Binary Proxy Execution Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Malicious Link:User Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Time Based Checks:Virtualization/Sandbox Evasion Virtualization/Sandbox Evasion Web Service Windows Management Instrumentation
S0483	IcedID	²	Domain Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Domain Trust Discovery Drive-by Compromise Asymmetric Cryptography:Encrypted Channel Exfiltration Over Asymmetric Encrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Match Legitimate Resource Name or Location:Masquerading Native API Network Share Discovery Embedded Payloads:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Steganography:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Permission Groups Discovery Spearphishing Attachment:Phishing Process Hollowing:Process Injection Asynchronous Procedure Call:Process Injection Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Msiexec:System Binary Proxy Execution Rundll32:System Binary Proxy Execution System Information Discovery System Language Discovery:System Location Discovery System Network Configuration Discovery Malicious File:User Execution Virtualization/Sandbox Evasion Windows Management Instrumentation
S1160	Latrodectus	²¹	Domain Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Debugger Evasion Deobfuscate/Decode Files or Information Domain Trust Discovery Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery NTFS File Attributes:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Component Object Model:Inter-Process Communication Match Legitimate Resource Name or Location:Masquerading Multi-Stage Channels Native API Network Share Discovery Dynamic API Resolution:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Domain Groups:Permission Groups Discovery Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Discovery VNC:Remote Services Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Rundll32:System Binary Proxy Execution Msiexec:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Shutdown/Reboot Malicious Link:User Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Web Service Windows Management Instrumentation

References

Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. ↩↩
Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. ↩↩↩↩↩↩↩↩