TA505

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.[1][2][3][4][5]

ID: G0092
Associated Groups: Hive0065
Version: 2.1
Created: 28 May 2019
Last Modified: 22 March 2023

Associated Group Descriptions

Name Description
Hive0065

[6]

Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.[7]

Enterprise T1583 .001 Acquire Infrastructure: Domains

TA505 has registered domains to impersonate services such as Dropbox to distribute malware.[5]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TA505 has used HTTP to communicate with C2 nodes.[6]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TA505 has used PowerShell to download and execute malware and reconnaissance scripts.[1][8][9][10]

.003 Command and Scripting Interpreter: Windows Command Shell

TA505 has executed commands using cmd.exe.[7]

.005 Command and Scripting Interpreter: Visual Basic

TA505 has used VBS for code execution.[1][2][7][6]

.007 Command and Scripting Interpreter: JavaScript

TA505 has used JavaScript for code execution.[1][2]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

TA505 has used malware to gather credentials from Internet Explorer.[1]

Enterprise T1486 Data Encrypted for Impact

TA505 has used a wide variety of ransomware, such as Clop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

TA505 has decrypted packed DLLs with an XOR key.[4]

Enterprise T1568 .001 Dynamic Resolution: Fast Flux DNS

TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.[7]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

TA505 has used malware to disable Windows Defender.[5]

Enterprise T1105 Ingress Tool Transfer

TA505 has downloaded additional malware to execute on victim systems.[9][10][8]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

TA505 has leveraged malicious Word documents that abused DDE.[2]

Enterprise T1112 Modify Registry

TA505 has used malware to disable Windows Defender through modification of the Registry.[5]

Enterprise T1106 Native API

TA505 has deployed payloads that use Windows API calls on a compromised host.[5]

Enterprise T1027 Obfuscated Files or Information

TA505 has password-protected malicious Word documents.[1]

.002 Software Packing

TA505 has used UPX to obscure malicious code.[6]

.010 Command Obfuscation

TA505 has used base64 encoded PowerShell commands.[9][10]

Enterprise T1588 .001 Obtain Capabilities: Malware

TA505 has used malware such as Azorult and Cobalt Strike in their operations.[4]

.002 Obtain Capabilities: Tool

TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit.[4]

Enterprise T1069 Permission Groups Discovery

TA505 has used TinyMet to enumerate members of privileged groups.[6] TA505 has also run net group /domain.[7]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA505 has used spearphishing emails with malicious attachments to initially compromise victims.[1][2][3][9][8][11][7][12][6]

.002 Phishing: Spearphishing Link

TA505 has sent spearphishing emails containing malicious links.[1][3][7][12]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

TA505 has been seen injecting a DLL into winword.exe.[6]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

TA505 has staged malware on actor-controlled domains.[5]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

TA505 has signed payloads with code signing certificates from Thawte and Sectigo.[9][10][7]

.005 Subvert Trust Controls: Mark-of-the-Web Bypass

TA505 has used .iso files to deploy malicious .lnk files.[13]

Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

TA505 has used msiexec to download and execute malicious Windows Installer files.[9][10][7]

.011 System Binary Proxy Execution: Rundll32

TA505 has leveraged rundll32.exe to execute malicious DLLs.[9][10]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

TA505 has used malware to gather credentials from FTP clients and Outlook.[1]

Enterprise T1204 .001 User Execution: Malicious Link

TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [1][2][3][9][8][11][7][12]

.002 User Execution: Malicious File

TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [1][2][3][9][8][11][7][12][6]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

TA505 has used stolen domain admin accounts to compromise additional hosts.[6]

Software

ID Name References Techniques
S0552 AdFind [4] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S1025 Amadey [5][14] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data from Local System, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Ingress Tool Transfer, Modify Registry, Native API, Obfuscated Files or Information, Software Discovery: Security Software Discovery, Subvert Trust Controls: Mark-of-the-Web Bypass, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0344 Azorult [4] Access Token Manipulation: Create Process with Token, Credentials from Password Stores: Credentials from Web Browsers, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Process Discovery, Process Injection: Process Hollowing, Query Registry, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, Unsecured Credentials: Credentials In Files
S0521 BloodHound [4] Account Discovery: Domain Account, Account Discovery: Local Account, Archive Collected Data, Command and Scripting Interpreter: PowerShell, Domain Trust Discovery, Group Policy Discovery, Native API, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote System Discovery, System Owner/User Discovery
S0611 Clop [15][16] Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Inhibit System Recovery, Modify Registry, Native API, Network Share Discovery, Obfuscated Files or Information: Software Packing, Process Discovery, Service Stop, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Msiexec, System Location Discovery: System Language Discovery, Virtualization/Sandbox Evasion: Time Based Evasion
S0154 Cobalt Strike [4] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0384 Dridex [1][2][6] Application Layer Protocol: Web Protocols, Browser Session Hijacking, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Hijack Execution Flow: DLL Side-Loading, Native API, Obfuscated Files or Information, Proxy, Proxy: Multi-hop Proxy, Remote Access Software, Scheduled Task/Job: Scheduled Task, Software Discovery, System Binary Proxy Execution: Regsvr32, System Information Discovery, User Execution: Malicious File
S0381 FlawedAmmyy [11][7][12] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data from Local System, Data Obfuscation, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture, Peripheral Device Discovery, Permission Groups Discovery: Local Groups, Screen Capture, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Rundll32, System Binary Proxy Execution: Msiexec, System Information Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0383 FlawedGrace [3][7][12] Obfuscated Files or Information
S0460 Get2 [12] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter, Process Discovery, Process Injection: Dynamic-link Library Injection, System Information Discovery, System Owner/User Discovery
S0002 Mimikatz [4] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [7] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0194 PowerSploit [4] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Security Support Provider, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by Search Order Hijacking, Input Capture: Keylogging, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0461 SDBbot [12][6] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Deobfuscate/Decode Files or Information, Event Triggered Execution: Application Shimming, Event Triggered Execution: Image File Execution Options Injection, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal, Indicator Removal: File Deletion, Ingress Tool Transfer, Non-Application Layer Protocol, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Remote Services: Remote Desktop Protocol, System Binary Proxy Execution: Rundll32, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery, Video Capture
S0382 ServHelper [3][9][10][7] Account Manipulation, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Create Account: Local Account, Encrypted Channel: Asymmetric Cryptography, Indicator Removal: File Deletion, Ingress Tool Transfer, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, System Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery
S0266 TrickBot [1][6] Account Discovery: Local Account, Account Discovery: Email Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Brute Force: Credential Stuffing, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Password Managers, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, Fallback Channels, File and Directory Discovery, Firmware Corruption, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Credential API Hooking, Inter-Process Communication: Component Object Model, Masquerading, Modify Registry, Native API, Network Share Discovery, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Permission Groups Discovery, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Pre-OS Boot: Bootkit, Process Discovery, Process Injection, Process Injection: Process Hollowing, Proxy: External Proxy, Remote Access Software, Remote Services: VNC, Remote System Discovery, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Credentials in Registry, User Execution: Malicious File, Virtualization/Sandbox Evasion: Time Based Evasion

References