Activities of the TA505 cybergang combed with a fine comb

Activities of the TA505 cybergang combed with a fine comb Cybersecurity

From Dridex Locky to Clop, the TA505 group of cybercriminals has spread a lot of malware as dangerous as it is devastating. The Government Center for Monitoring, Warning and Response to French Computer Attacks (CERT-FR) has published a report to determine the evolution of its activities since 2014.

What do Dridex, TrickBot trojans and Locky and Clop ransomware have in common? TA505. Behind this name, there is a gang of cyber hackers – most likely of Russian origin – which has been illustrated for years in the flourishing of cybercrime operations based on this malware. After having zoomed in on the origins and uses of Dridex last May, the Government Center for Monitoring, Warning and Response to French Computer Attacks (CERT-FR) looked into the development of the activity of group of cyber criminals TA505.

“Often confused with the cybercriminal group Evil Corp (operating the Dridex botnet and the BitPaymer ransomware), and sometimes considered as the operator of the Necurs botnet, TA505 uses an evolving arsenal of attack which it implements during varied campaigns and sometimes simultaneous, which can lead to confusion about his motivations, ”says CERT-FR. “As such, the links he presents with Lazarus and Silence suggest that TA505 would run campaigns on its own and campaigns on behalf of its customers.”

A variety of targets and sectors

If TA505 started to be talked about in 2017, the creation of this group of cybercriminals dates back – at least – to 2014 according to the government center for monitoring and alert. From a target point of view, do not be jealous, since the largest sectors have not been spared from the bursts of cyber attacks from this group. Among which those targeting the automotive industry (January 2018), the financial sector (October, November and December 2018, the hotel industry (December 2018 to March 2019), banks (June-July 2019), government agencies (July -August 2019), Education (December 2019) and health-pharmacy (January-March 2020).

At the start of its activities in 2017, TAO505 was mainly occupied with distributing malware through large phishing campaigns mainly via the Necurs botnet. Then in 2018, the group of cybercriminals turned to the distribution of backdoors to go as far as compromising an entire information system. Besides Necurs, TAO505 would also have gone through its own Amadey botnet to push its malicious charges. “This procedure also spoofs the sending addresses of its emails, which makes it difficult to analyze its email distribution infrastructure,” notes CERT-FR. To better deceive its world and fully exploit social engineering techniques, TAO505 has gone since the second half of 2019 and this beginning of the year by sending attachments based on HTML pages trapped by malicious Javascript code to redirect a target to a compromised website.

The perfect hacker toolbox

Regarding the operating mode used by TAO505, several first level codes were tested according to the monitoring center, including Quant Loader, Marap, Amadey and Andromut (aka Gelup). “The TA505 operating mode therefore does not seem to hesitate to set aside some of its attack codes to test others. Despite this, a trend emerges: it seems to use the first level malicious code Get2 on a more regular basis, the backdoor component of which is also called Friendspeak, ”specifies CERT-FR. Some of the second-level malware used is FlawedAmmvy, tRat, RMS or RmansSys, ServHelper, FlawedGrace, FlowerPippi and SDBbot. To explore the SI, the group of cybercriminals made lateral moves in the SI – facilitated by the use of Colbalt Strike and TinyMet penetration testing software – by activating several methods: PowerSploit on one side and AdFind to map the SI . For its part, Mimikatz was used for collecting authentication information on compromised machines, and Locky and Clop for malicious encryption.

“In October 2019, the latter sent direct links to his phishing pages in his malicious emails. He then used URL shorteners to hide these malicious links. In late February 2020, he abandoned the URL shortener strategy and started using HTML attachments with Javascript with redirection from a compromised site, further complicating email detection. In addition, some of its redirect pages include a link to, a service allowing the operating mode to inspect IP addresses visiting these pages. Finally, it has already been observed that the phishing pages in the operating mode distributed empty Office documents when someone other than the victim visited them, “explains CERT-FR, who warns of a particularly worrying threat embodied by TAO505 for 2020.


Rate article