TA505

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.^[1]^[2]^[3]^[4]^[5]

ID: G0092

ⓘ

Associated Groups: Hive0065, Spandex Tempest, CHIMBORAZO

Version: 3.0

Created: 28 May 2019

Last Modified: 10 April 2024

Version Permalink

Live Version

Associated Group Descriptions

Name	Description
Hive0065	^[6]
Spandex Tempest	^[7]
CHIMBORAZO	^[7]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1087	.003	Account Discovery: Email Account	TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.^[8]
Enterprise	T1583	.001	Acquire Infrastructure: Domains	TA505 has registered domains to impersonate services such as Dropbox to distribute malware.^[5]
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	TA505 has used HTTP to communicate with C2 nodes.^[6]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	TA505 has used PowerShell to download and execute malware and reconnaissance scripts.^[1]^[9]^[10]^[11]
		.003	Command and Scripting Interpreter: Windows Command Shell	TA505 has executed commands using `cmd.exe`.^[8]
		.005	Command and Scripting Interpreter: Visual Basic	TA505 has used VBS for code execution.^[1]^[2]^[8]^[6]
		.007	Command and Scripting Interpreter: JavaScript	TA505 has used JavaScript for code execution.^[1]^[2]
Enterprise	T1555	.003	Credentials from Password Stores: Credentials from Web Browsers	TA505 has used malware to gather credentials from Internet Explorer.^[1]
Enterprise	T1486		Data Encrypted for Impact	TA505 has used a wide variety of ransomware, such as Clop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	TA505 has decrypted packed DLLs with an XOR key.^[4]
Enterprise	T1568	.001	Dynamic Resolution: Fast Flux DNS	TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.^[8]
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	TA505 has used malware to disable Windows Defender.^[5]
Enterprise	T1105		Ingress Tool Transfer	TA505 has downloaded additional malware to execute on victim systems.^[10]^[11]^[9]
Enterprise	T1559	.002	Inter-Process Communication: Dynamic Data Exchange	TA505 has leveraged malicious Word documents that abused DDE.^[2]
Enterprise	T1112		Modify Registry	TA505 has used malware to disable Windows Defender through modification of the Registry.^[5]
Enterprise	T1106		Native API	TA505 has deployed payloads that use Windows API calls on a compromised host.^[5]
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	TA505 has used UPX to obscure malicious code.^[6]
		.010	Obfuscated Files or Information: Command Obfuscation	TA505 has used base64 encoded PowerShell commands.^[10]^[11]
		.013	Obfuscated Files or Information: Encrypted/Encoded File	TA505 has password-protected malicious Word documents.^[1]
Enterprise	T1588	.001	Obtain Capabilities: Malware	TA505 has used malware such as Azorult and Cobalt Strike in their operations.^[4]
		.002	Obtain Capabilities: Tool	TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit.^[4]
Enterprise	T1069		Permission Groups Discovery	TA505 has used TinyMet to enumerate members of privileged groups.^[6] TA505 has also run `net group /domain`.^[8]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	TA505 has used spearphishing emails with malicious attachments to initially compromise victims.^[1]^[2]^[3]^[10]^[9]^[12]^[8]^[13]^[6]
		.002	Phishing: Spearphishing Link	TA505 has sent spearphishing emails containing malicious links.^[1]^[3]^[8]^[13]
Enterprise	T1055	.001	Process Injection: Dynamic-link Library Injection	TA505 has been seen injecting a DLL into winword.exe.^[6]
Enterprise	T1608	.001	Stage Capabilities: Upload Malware	TA505 has staged malware on actor-controlled domains.^[5]
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	TA505 has signed payloads with code signing certificates from Thawte and Sectigo.^[10]^[11]^[8]
		.005	Subvert Trust Controls: Mark-of-the-Web Bypass	TA505 has used .iso files to deploy malicious .lnk files.^[14]
Enterprise	T1218	.007	System Binary Proxy Execution: Msiexec	TA505 has used `msiexec` to download and execute malicious Windows Installer files.^[10]^[11]^[8]
		.011	System Binary Proxy Execution: Rundll32	TA505 has leveraged `rundll32.exe` to execute malicious DLLs.^[10]^[11]
Enterprise	T1552	.001	Unsecured Credentials: Credentials In Files	TA505 has used malware to gather credentials from FTP clients and Outlook.^[1]
Enterprise	T1204	.001	User Execution: Malicious Link	TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. ^[1]^[2]^[3]^[10]^[9]^[12]^[8]^[13]
		.002	User Execution: Malicious File	TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. ^[1]^[2]^[3]^[10]^[9]^[12]^[8]^[13]^[6]
Enterprise	T1078	.002	Valid Accounts: Domain Accounts	TA505 has used stolen domain admin accounts to compromise additional hosts.^[6]

Software

ID	Name	References	Techniques
S0552	AdFind	^[4]	Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S1025	Amadey	^[5]^[15]	Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data from Local System, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Ingress Tool Transfer, Modify Registry, Native API, Obfuscated Files or Information, Software Discovery: Security Software Discovery, Subvert Trust Controls: Mark-of-the-Web Bypass, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0344	Azorult	^[4]	Access Token Manipulation: Create Process with Token, Credentials from Password Stores: Credentials from Web Browsers, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Process Discovery, Process Injection: Process Hollowing, Query Registry, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, Unsecured Credentials: Credentials In Files
S0521	BloodHound	^[4]	Account Discovery: Domain Account, Account Discovery: Local Account, Archive Collected Data, Command and Scripting Interpreter: PowerShell, Domain Trust Discovery, Group Policy Discovery, Native API, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote System Discovery, System Owner/User Discovery
S0611	Clop	^[16]^[17]	Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Inhibit System Recovery, Modify Registry, Native API, Network Share Discovery, Obfuscated Files or Information: Software Packing, Process Discovery, Service Stop, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Msiexec, System Location Discovery: System Language Discovery, Virtualization/Sandbox Evasion: Time Based Evasion
S0154	Cobalt Strike	^[4]	Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0384	Dridex	^[1]^[2]^[6]	Application Layer Protocol: Web Protocols, Browser Session Hijacking, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Hijack Execution Flow: DLL Side-Loading, Native API, Obfuscated Files or Information, Proxy, Proxy: Multi-hop Proxy, Remote Access Software, Scheduled Task/Job: Scheduled Task, Software Discovery, System Binary Proxy Execution: Regsvr32, System Information Discovery, User Execution: Malicious File
S0381	FlawedAmmyy	^[12]^[8]^[13]	Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data from Local System, Data Obfuscation, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture, Peripheral Device Discovery, Permission Groups Discovery: Local Groups, Screen Capture, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Rundll32, System Binary Proxy Execution: Msiexec, System Information Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0383	FlawedGrace	^[3]^[8]^[13]	Obfuscated Files or Information: Encrypted/Encoded File
S0460	Get2	^[13]	Application Layer Protocol: Web Protocols, Command and Scripting Interpreter, Process Discovery, Process Injection: Dynamic-link Library Injection, System Information Discovery, System Owner/User Discovery
S0002	Mimikatz	^[4]	Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039	Net	^[8]	Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0194	PowerSploit	^[4]	Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Security Support Provider, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by Search Order Hijacking, Input Capture: Keylogging, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0461	SDBbot	^[13]^[6]	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Deobfuscate/Decode Files or Information, Event Triggered Execution: Application Shimming, Event Triggered Execution: Image File Execution Options Injection, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal, Indicator Removal: File Deletion, Ingress Tool Transfer, Non-Application Layer Protocol, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Remote Services: Remote Desktop Protocol, System Binary Proxy Execution: Rundll32, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery, Video Capture
S0382	ServHelper	^[3]^[10]^[11]^[8]	Account Manipulation: Additional Local or Domain Groups, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Create Account: Local Account, Encrypted Channel: Asymmetric Cryptography, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Masquerade Account Name, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, System Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery
S0266	TrickBot	^[1]^[6]	Account Discovery: Local Account, Account Discovery: Email Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Brute Force: Credential Stuffing, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Password Managers, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, Fallback Channels, File and Directory Discovery, Firmware Corruption, Hide Artifacts: Hidden Window, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Credential API Hooking, Inter-Process Communication: Component Object Model, Masquerading, Modify Registry, Native API, Network Share Discovery, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information: Encrypted/Encoded File, Permission Groups Discovery, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Pre-OS Boot: Bootkit, Process Discovery, Process Injection, Process Injection: Process Hollowing, Proxy: External Proxy, Remote Access Software, Remote Services: VNC, Remote System Discovery, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Credentials in Registry, User Execution: Malicious File, Virtualization/Sandbox Evasion: Time Based Evasion

References

Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.

TA505

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References