TA505 is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.
|Enterprise||T1116||Code Signing||TA505 has signed payloads with code signing certificates from Thawte and Sectigo.  |
|Enterprise||T1503||Credentials from Web Browsers||TA505 has used malware to gather credentials from Internet Explorer. |
|Enterprise||T1081||Credentials in Files||TA505 has used malware to gather credentials from FTP clients and Outlook. |
|Enterprise||T1486||Data Encrypted for Impact||TA505 has used a wide variety of ransomware, such as Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment. |
|Enterprise||T1173||Dynamic Data Exchange||TA505 has leveraged malicious Word documents that abused DDE. |
|Enterprise||T1027||Obfuscated Files or Information||TA505 has password-protected malicious Word documents and used base64 encoded PowerShell commands.   |
|Enterprise||T1086||PowerShell||TA505 has used PowerShell to download and execute malware and reconnaissance scripts.    |
|Enterprise||T1105||Remote File Copy||TA505 has downloaded additional malware to execute on victim systems.   |
TA505 has leveraged
|Enterprise||T1218||Signed Binary Proxy Execution||
TA505 has used
|Enterprise||T1193||Spearphishing Attachment||TA505 has used spearphishing emails with malicious attachments to initially compromise victims.      |
|Enterprise||T1192||Spearphishing Link||TA505 has sent spearphishing emails containing malicious links.  |
|Enterprise||T1204||User Execution||TA505 has used lures to get users to click links in emails and attachments, enable content in malicious attachments, and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files.      |
- Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
- Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
- Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
- Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
- Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
- Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
- Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.