1. Home
  2. Groups
  3. TA578

TA578

TA578 is a threat actor that has used contact forms and email to initiate communications with victims and to distribute malware including Latrodectus, IcedID, and Bumblebee.[1][2]

ID: G1038
Version: 1.0
Created: 17 September 2024
Last Modified: 17 September 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .006 Acquire Infrastructure: Web Services

TA578 has used Google Firebase to host malicious scripts.[1]
Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

TA578 has used JavaScript files in malware execution chains.[1]
Enterprise T1594 Search Victim-Owned Websites

TA578 has filled out contact forms on victims' websites to direct them to adversary-controlled URLs.[1]
Enterprise T1204 .001 User Execution: Malicious Link

TA578 has placed malicious links in contact forms on victim sites, often spoofing a copyright complaint, to redirect users to malicious file downloads.[1]

Software

ID Name References Techniques
S1039 Bumblebee [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Archive Collected Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Data from Local System, Debugger Evasion, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Fallback Channels, Indicator Removal: File Deletion, Ingress Tool Transfer, Inter-Process Communication: Component Object Model, Masquerading: Match Legitimate Name or Location, Native API, Obfuscated Files or Information, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Asynchronous Procedure Call, Process Injection, Query Registry, Scheduled Task/Job: Scheduled Task, Shared Modules, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Odbcconf, System Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery, User Execution: Malicious Link, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Virtualization/Sandbox Evasion: Time Based Evasion, Virtualization/Sandbox Evasion, Web Service, Windows Management Instrumentation
S0483 IcedID [1] Account Discovery: Domain Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Command and Scripting Interpreter: Visual Basic, Domain Trust Discovery, Drive-by Compromise, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Native API, Network Share Discovery, Obfuscated Files or Information: Embedded Payloads, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Steganography, Obfuscated Files or Information: Software Packing, Permission Groups Discovery, Phishing: Spearphishing Attachment, Process Injection: Process Hollowing, Process Injection: Asynchronous Procedure Call, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Msiexec, System Binary Proxy Execution: Rundll32, System Information Discovery, System Location Discovery: System Language Discovery, System Network Configuration Discovery, User Execution: Malicious File, Virtualization/Sandbox Evasion, Windows Management Instrumentation
S1160 Latrodectus [1][2] Account Discovery: Domain Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: JavaScript, Data Encoding: Standard Encoding, Data from Local System, Debugger Evasion, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: NTFS File Attributes, Indicator Removal: File Deletion, Ingress Tool Transfer, Inter-Process Communication: Component Object Model, Masquerading: Match Legitimate Name or Location, Multi-Stage Channels, Native API, Network Share Discovery, Obfuscated Files or Information: Dynamic API Resolution, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Encrypted/Encoded File, Permission Groups Discovery: Domain Groups, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Process Discovery, Remote Services: VNC, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Rundll32, System Binary Proxy Execution: Msiexec, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Shutdown/Reboot, User Execution: Malicious Link, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Web Service, Windows Management Instrumentation

References

  1. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  1. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.