From Dridex to CLOP, the evolution of the TA505 group scrutinized by Anssi

De Dridex à CLOP, l’évolution du groupe TA505 passé au crible par l’Anssi Cybersecurity

The TA505 group (Threat actor 505, editor’s note) owes its name to the Proofpoint teams, who were the first to identify and analyze the activity of this very active group since 2014 in a report published in 2017. Since then, we can follow the TA505 activity, which has evolved and gained competence over the years to continue its criminal activities online.

The first part of the report focuses on the activity of the TA505 group in the period from 2014 to 2018. Anssi believes that “until 2017, its activity seems to focus on the distribution of banking Trojans and ransomware. ” And in this area, TA505 plays with well known malware: the group is thus one of the first to have distributed the banking malware Dridex, as of July 2014. This premature use of Dridex has led some analysts to believe that TA505 was at the origin of the Dridex malware (and we had also relayed this error), but Anssi considers the group as “affiliates” of the Dridex botnet, probably close to the Evil Corp group, which operates the botnet.

Besides Dridex, TA505 also stood out in 2016 by massively distributing the Locky ransomware. But here too, TA505 is a simple affiliate, recalls Anssi, which here takes over the conclusions of Proofpoint. The group also uses other strains of ransomware in several other campaigns.

The turning point of 2018

In 2018, the modus operandi of the group changed: “TA505 then gradually decreases its distribution of malicious banking and ransomware codes to move to the distribution of backdoors,” said the agency report. The group passes to more sophisticated attacks going beyond the simple execution of malicious software on the computers of its targets: TA505 now aims to compromise the entire information system of its targets, sometimes reselling the access obtained to other groups.

From Dridex to CLOP, the evolution of the TA505 group scrutinized by Anssi

During this period, the tools and malware used by the group evolve in order to adapt to their new modes of activity. The initial vector of infection remains the same: phishing e-mail containing a malicious attachment or a link to a malicious site. As a payload, “TA505 has a diverse arsenal of attack to deploy among victims who have executed its malicious attachments. It is made up of codes which are both publicly available and commercially available on the black market, or which appear to be exclusive to it ”.

The group thus used a variety of malware, experimenting with different tools. ANSSI nonetheless indicates that the group seems to be focusing on the use of the Get2 malware, in conjunction with the FlawedGrace backdoor and the SDBot malware. He is also a primary user of the FlawedAmmyy backdoor, RAT (Remote Administration Tool) malware.

TA505 makes extensive use of commercially available or open source tools: Anssi thus notes the use of Mimikatz for privilege escalation, of the PingCastle utility in order to locate weaknesses in the target’s Active Directory or still using the Cobalt Strike penetration testing tool.

TA505 still encrypts the devices of its targets, but now uses the CLOP ransomware. Anssi had published a document last year revisiting the specifics of ransomware, suspected of having been the malware used in the attack that paralyzed the Rouen teaching hospital.

At the heart of the ecosystem

The constant evolution of TA505’s methods and tools makes its identification sometimes difficult, and its links with other known cybercriminal groups do not simplify the matter. ANSSI notes that the group has links and similarities with the Lazarus, Silence, FIN7 groups, the operators of the Necurs botnet or the Evil Corp group, operator of the Dridex botnet.

As the report contemplates: “It is possible that TA505 is a hacker-for-hire, that is to say a service provider in compromise and quali fi cation of access within SI”. Anssi considers that the group could carry out attacks both on its own account and on behalf of its “customers”. CERT-FR also publishes indicators of compromise linked to the group’s previous attacks, in order to help companies better detect the group’s actions.


Rate article