TA505 | APT Profile

Description

[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving [Clop](https://attack.mitre.org/software/S0611).(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020)

Techniques Used (TTPs)

T1087.003 — Email Account (discovery)
T1583.001 — Domains (resource-development)
T1553.005 — Mark-of-the-Web Bypass (defense-evasion)
T1218.007 — Msiexec (defense-evasion)
T1112 — Modify Registry (defense-evasion, persistence)
T1588.002 — Tool (resource-development)
T1204.002 — Malicious File (execution)
T1568.001 — Fast Flux DNS (command-and-control)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1027.002 — Software Packing (defense-evasion)
T1552.001 — Credentials In Files (credential-access)
T1059.005 — Visual Basic (execution)
T1059.007 — JavaScript (execution)
T1204.001 — Malicious Link (execution)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1608.001 — Upload Malware (resource-development)
T1218.011 — Rundll32 (defense-evasion)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1555.003 — Credentials from Web Browsers (credential-access)
T1027.010 — Command Obfuscation (defense-evasion)
T1069 — Permission Groups Discovery (discovery)
T1105 — Ingress Tool Transfer (command-and-control)
T1588.001 — Malware (resource-development)
T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1553.002 — Code Signing (defense-evasion)
T1486 — Data Encrypted for Impact (impact)
T1059.001 — PowerShell (execution)
T1566.001 — Spearphishing Attachment (initial-access)
T1106 — Native API (execution)
T1566.002 — Spearphishing Link (initial-access)
T1559.002 — Dynamic Data Exchange (execution)
T1055.001 — Dynamic-link Library Injection (defense-evasion, privilege-escalation)
T1071.001 — Web Protocols (command-and-control)
T1059.003 — Windows Command Shell (execution)

Total TTPs: 34

Malware & Tools

Malware: Amadey, Azorult, Clop, Cobalt Strike, Dridex, FlawedAmmyy, FlawedGrace, Get2, SDBbot, ServHelper, TrickBot

Tools: AdFind, BloodHound, Mimikatz, Net, PowerSploit

← Return to Home ← Back to APT Search