TA505

Also known as: Hive0065 · Spandex Tempest · CHIMBORAZO

Overview

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.

Targets

Education · Finance · Healthcare · Hospitality · Retail

Regions

Australia · Canada · Czech Republic · Germany · Hungary · India · Japan · Romania · Serbia · Singapore · South Korea · Spain · Thailand · Turkey · United Kingdom · United States

Capabilities

Custom malware/implant development — ATT&CK: 11 attributed custom malware families

TTPs — 34 techniques across 9 tactics

Resource Development

T1583.001 Domains
T1588.001 Malware
T1588.002 Tool
T1608.001 Upload Malware

Defense Impairment

Credential Access

T1552.001 Credentials In Files
T1555.003 Credentials from Web Browsers

Discovery

T1069 Permission Groups Discovery
T1087.003 Email Account

Command and Control

T1071.001 Web Protocols
T1105 Ingress Tool Transfer
T1568.001 Fast Flux DNS

Impact

T1486 Data Encrypted for Impact

Tools & malware (16)

AdFind · Clop · Azorult · FlawedAmmyy · Mimikatz · Dridex · TrickBot · Get2 · FlawedGrace · Cobalt Strike · ServHelper · BloodHound · Amadey · SDBbot · Net · PowerSploit

Reporting (3)

How Microsoft names threat actors — Microsoft
TA505: A Brief History of Their Time — Terefos, A
TA505 Continues to Infect Networks With SDBbot RAT — Frydrych, M