TA505 Group

Who Is TA505?

TA505 is a prolific, financially motivated cybercrime group active since 2014 and a significant player in the global cybercrime scene. TA505 has taken many different roles, including as both a ransomware-as-a-service (RaaS) operator and as an affiliate of other apex RaaS operators, as an initial access broker (IAB), and as a customer of other IABs selling access to compromised corporate networks, and as large botnet operator for financial fraud and phishing attacks.

TA505 is considered one of the largest, if not the largest, phishing and malspam distributors worldwide and is estimated to have compromised more than 3,000 US-based and 8,000 global organizations.

TA505 uses a sophisticated and ever-shifting set of tactics, techniques, and procedures (TTP) as they attempt to outpace the evolving cybersecurity landscape with novel and undetectable exploits. From 2014 until 2018, TA505's primary attack strategy was using Dridex botnets to operate infostealing campaigns and targeting the financial sector using stolen credentials. However, since 2018 TA505 has shifted its focus to target universities, hospitals, and manufacturing companies with ransomware as its primary modus operandi and selectively infecting victims with cryptocurrency mining malware.

TA505's Tactics, Techniques, and Procedures (TTP)

TA505's attack TTP and use of malware toolkits have evolved significantly during their lifespan. The group is known to orchestrate attacks using a wide array of popular malware payloads such as Dridex, Trickbot, and Locky, as well as built-in Windows tools and customized malware exclusive to TA505. TA505 is also known for a long-term cyberattack lifecycle; they will dwell in a target's network conducting reconnaissance for weeks—even months—while avoiding detection to identify the highest value target possible.

Malware Strains Used by TA505

Dridex (AKA Bugat, Cridex): an infostealer and trojan with sophisticated botnet capabilities Dridex was one of the first malware strains in heavy use by TA505

Trickbot: a sophisticated multi-purpose attack tool first used by TA505 in 2017

FlawedGrace (AKA Gracewire): a remote access trojan (RAT) almost exclusively used by TA505 since 2018

FlawedAmmyy: a second-stage malware that establishes a connection to TA505's remote command and control (C2) servers that can import additional attack tools

Snatch: an infostealer that exfiltrates sensitive data such as login credentials and personal data

SDBbot: an application shimming malware that injects malicious code into a standard process each time an infected system is booted

ServHelper: a prevalent RAT malware with first and second-stage capabilities used by TA505 between November 2018 to mid-2019

TinyMet: a RAT malware with additional functionality to delete system logs and eliminate traces of a malware infection

TeslaGun: a GUI tool for managing ServHelper malware that fetches the infected host's CPU, GPU, RAM, and internet connection speed and launches crypto-mining malware on suitable victims

Get2 (AKA Friendspeak): a social networking app used by TA505 for phishing and spreading malware infections to grow zombie botnet operations

Quant Loader: a simple second-stage downloader commonly distributed on dark web sites and used by TA505 since 2018

Marap: a somewhat sophisticated second-stage downloader that avoids detection and maintains persistence

Andromut (AKA Gelup): an Android-specific downloader with anti-analysis obfuscation exclusively used by TA505 in 2019

Remote Manipulator System (RMS or RmanSyS): a legitimate system administration tool developed by the Russian company TEKTONIT, in use by TA505 from November 2018 until June 2019

FlowerPippi: a first-stage system reconnaissance, downloader, and simple RAT

MineDoor: a malware that targets servers running the popular Minecraft game servers and uses infected servers to mine cryptocurrency

Additional TA505 attack TTP include:

  • Compromising Remote Desktop Protocol (RDP) connections to corporate networks
  • Utilizing a "Living Off The Land" (LOTL) attack strategy that utilizes existing preinstalled Windows system tools and commands
  • Leveraging legitimate pen-testing and remote access tools such as Cobalt Strike
  • Using Dridex, Necurs, and Amadey botnets to automate fraudulent financial transactions and for phishing and malspam distribution
  • Migrating C2 proxy servers within and between data centers for increased detection avoidance
  • Using a wide number of distinct ransomware strains, including Locky, Bart, Jaff, Scarab, Philadelphia, GlobeImposter, GandCrab, and Clop (which is exclusively developed and used by TA505)
  • Operating as an intermediary broker in both the sale and purchase of initial access to corporate networks as both a RaaS operator and affiliate
  • Digitally signing their malware using stolen private keys from legitimate software vendors and decoding software binaries in memory to avoid detection from endpoint security products
  • Using known Active Directory and SMB vulnerabilities to move laterally through a victim's network
  • Installing PHP web shells on compromised websites to maintain remote control and using the infected site to spread malicious documents and links
  • Detecting and disabling IT security tools, including Malwarebytes, Webroot, Panda Security, ESET, Kaspersky, AppCheck, Windows Defender, and Microsoft Security Essentials
  • Impersonating standard online file-sharing tools such as DropBox, OneDrive, and Google Drive
  • Displaying fake malware scan graphics to instill a false sense of security in victims

Signs of a TA505 Attack

Malware researchers have released many known malware signatures, command and control (C2) domains and IP addresses, and attack tactics associated with TA505. However, TA505 has been able to quickly adjust its TTPs, offensive toolkit, and infrastructure, making published IOCs ineffective for reliably defending an IT environment. TA505 has also occasionally used older TTP, so organizations should develop a defense-in-depth approach to managing their cybersecurity risk.

How to Prevent a TA505 Attack

  • Implement modern Identity and Access Management (IAM) tools
  • Install and configure advanced endpoint security products on all endpoints to detect indicators of compromise (IOC) and take defensive action to block Trickbot payloads from executing
  • Implement Zero Trust solutions wherever possible, giving priority to critical systems 
  • Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
  • Implement strong network security including least-privilege, segmentation of critical services, role-based access controls, multi-factor authentication, and defense in depth to reduce the potential damage of stolen credentials 
  • Segment networks and add NIPS and NIDS to monitor network activity for anomaly behavior
  • Harden all endpoints, including employee workstations and servers, by disabling command-line and scripting activities and permissions and unrequired services to reduce the potential of a living off the land (LOTL) type attacks
  • Implement a reliable backup strategy with well-protected offline backups and practice disaster recovery procedures to ensure target mean-time-to-recovery (MTTR) targets can be met

CylanceOPTICS Prevents Ransomware Attacks

 CylanceOPTICS® provides on-device threat detection and remediation using artificial intelligence (AI) to prevent security incidents with root cause analysis, smart threat hunting, and automated detection and response capabilities. Our Endpoint Detection and Response (EDR) approach effectively eliminates response latency. It can be the difference between a minor security incident and a widespread, uncontrolled event.