TA505

TA505 is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.[1][2][3]

ID: G0092
Associated Groups: Hive0065
Version: 1.1
Created: 28 May 2019
Last Modified: 23 June 2020

Associated Group Descriptions

Name Description
Hive0065 [9]

Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.[7]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TA505 has used HTTP to communiate with C2 nodes.[9]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TA505 has used PowerShell to download and execute malware and reconnaissance scripts.[1][5][4][10]

.005 Command and Scripting Interpreter: Visual Basic

TA505 has used VBS for code execution.[1][2][7][9]

.007 Command and Scripting Interpreter: JavaScript/JScript

TA505 has used JavaScript for code execution.[1][2]

.003 Command and Scripting Interpreter: Windows Command Shell

TA505 has executed commands using cmd.exe.[7]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

TA505 has used malware to gather credentials from Internet Explorer.[1]

Enterprise T1486 Data Encrypted for Impact

TA505 has used a wide variety of ransomware, such as Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.[1]

Enterprise T1568 .001 Dynamic Resolution: Fast Flux DNS

TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.[7]

Enterprise T1105 Ingress Tool Transfer

TA505 has downloaded additional malware to execute on victim systems.[4][10][5]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

TA505 has leveraged malicious Word documents that abused DDE.[2]

Enterprise T1027 Obfuscated Files or Information

TA505 has password-protected malicious Word documents and used base64 encoded PowerShell commands.[1][4][10]

.002 Software Packing

TA505 has used UPX to obscure malicious code.[9]

Enterprise T1069 Permission Groups Discovery

TA505 has used TinyMet to enumerate members of privileged groups.[9] TA505 has also run net group /domain.[7]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA505 has used spearphishing emails with malicious attachments to initially compromise victims.[1][2][3][4][5][6][7][8][9]

.002 Phishing: Spearphishing Link

TA505 has sent spearphishing emails containing malicious links.[1][3][7][8]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

TA505 has been seen injecting a DLL into winword.exe.[9]

Enterprise T1218 .007 Signed Binary Proxy Execution: Msiexec

TA505 has used msiexec to download and execute malicious Windows Installer files.[4][10][7]

.011 Signed Binary Proxy Execution: Rundll32

TA505 has leveraged rundll32.exe to execute malicious DLLs.[4][10]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

TA505 has signed payloads with code signing certificates from Thawte and Sectigo.[4][10][7]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

TA505 has used malware to gather credentials from FTP clients and Outlook.[1]

Enterprise T1204 .002 User Execution: Malicious File

TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [1][2][3][4][5][6][7][8][9]

.001 User Execution: Malicious Link

TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [1][2][3][4][5][6][7][8]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

TA505 has used stolen domain admin accounts to compromise additional hosts.[9]

Software

ID Name References Techniques
S0384 Dridex

[1][2][9]

Application Layer Protocol: Web Protocols, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Man in the Browser, Proxy, Remote Access Software
S0381 FlawedAmmyy

[6][7][8]

Application Layer Protocol: Web Protocols, Commonly Used Port, Data Obfuscation, Encrypted Channel: Symmetric Cryptography, Peripheral Device Discovery, Permission Groups Discovery: Local Groups, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0383 FlawedGrace

[3][7][8]

Commonly Used Port, Obfuscated Files or Information
S0460 Get2

[8]

Application Layer Protocol: Web Protocols, Command and Scripting Interpreter, Process Discovery, Process Injection: Dynamic-link Library Injection, System Information Discovery, System Owner/User Discovery
S0039 Net

[7]

Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0461 SDBot

[8][9]

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Deobfuscate/Decode Files or Information, Event Triggered Execution: Image File Execution Options Injection, Event Triggered Execution: Application Shimming, File and Directory Discovery, Indicator Removal on Host, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Non-Application Layer Protocol, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Process Injection: Dynamic-link Library Injection, Proxy, Remote Services: Remote Desktop Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Video Capture
S0382 ServHelper

[3][4][10][7]

Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Encrypted Channel: Asymmetric Cryptography, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery
S0266 TrickBot

[1][9]

Account Discovery: Email Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Credential API Hooking, Man in the Browser, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Attachment, Process Injection: Process Hollowing, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Network Configuration Discovery, System Service Discovery, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Credentials in Registry, User Execution: Malicious File

References