TA505 is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.
|Enterprise||T1503||Credentials from Web Browsers|
|Enterprise||T1081||Credentials in Files|
|Enterprise||T1486||Data Encrypted for Impact|
|Enterprise||T1173||Dynamic Data Exchange|
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1105||Remote File Copy|
|Enterprise||T1218||Signed Binary Proxy Execution|
TA505 has used lures to get users to click links in emails and attachments, enable content in malicious attachments, and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. 
- Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
- Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
- Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
- Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
- Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
- Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
- Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.