TA577

TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023.[1]

ID: G1037
Version: 1.0
Created: 17 September 2024
Last Modified: 17 September 2024

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

TA577 has used BAT files in malware execution chains.[1]

.007 Command and Scripting Interpreter: JavaScript

TA577 has used JavaScript to execute additional malicious payloads.[1]

Enterprise T1586 .002 Compromise Accounts: Email Accounts

TA577 has sent thread hijacked messages from compromised emails.[1]

Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

TA577 has used LNK files to execute embedded DLLs.[1]

Enterprise T1566 .002 Phishing: Spearphishing Link

TA577 has sent emails containing links to malicious JavaScript files.[1]

Enterprise T1204 .001 User Execution: Malicious Link

TA577 has lured users into executing malicious JavaScript files by sending malicious links via email.[1]

Software

ID Name References Techniques
S1160 Latrodectus [1] Account Discovery: Domain Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: JavaScript, Data Encoding: Standard Encoding, Data from Local System, Debugger Evasion, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: NTFS File Attributes, Indicator Removal: File Deletion, Ingress Tool Transfer, Inter-Process Communication: Component Object Model, Masquerading: Match Legitimate Name or Location, Multi-Stage Channels, Native API, Network Share Discovery, Obfuscated Files or Information: Dynamic API Resolution, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Encrypted/Encoded File, Permission Groups Discovery: Domain Groups, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Process Discovery, Remote Services: VNC, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Rundll32, System Binary Proxy Execution: Msiexec, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Shutdown/Reboot, User Execution: Malicious Link, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Web Service, Windows Management Instrumentation
S1145 Pikabot [1] Account Discovery: Local Account, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Debugger Evasion, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Environmental Keying, Exfiltration Over C2 Channel, Native API, Non-Standard Port, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information: Steganography, Obfuscated Files or Information: Embedded Payloads, Process Injection: Thread Execution Hijacking, Process Injection: Portable Executable Injection, Reflective Code Loading, System Information Discovery, System Network Configuration Discovery, Virtualization/Sandbox Evasion: System Checks
S0650 QakBot [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Brute Force, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Dynamic Resolution: Domain Generation Algorithms, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Side-Loading, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade File Type, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information: HTML Smuggling, Obfuscated Files or Information: Command Obfuscation, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Software Packing, Peripheral Device Discovery, Permission Groups Discovery: Local Groups, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: External Proxy, Remote System Discovery, Replication Through Removable Media, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, Software Discovery, Steal Web Session Cookie, Subvert Trust Controls: Code Signing, Subvert Trust Controls: Mark-of-the-Web Bypass, System Binary Proxy Execution: Regsvr32, System Binary Proxy Execution: Msiexec, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Time Discovery, User Execution: Malicious Link, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Virtualization/Sandbox Evasion: Time Based Evasion, Windows Management Instrumentation

References