TA505  (Back to overview)


TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.


Associated Families
win.dridex win.flawedgrace win.locky win.rms win.servhelper

References
1 http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html
1 http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html
1 https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/
1 https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
1 https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/
1 https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/
1 https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
1 https://blog.yoroi.company/research/ta505-is-expanding-its-operations/
https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/
1 https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/
2 https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf
1 https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/
1 https://securityintelligence.com/dridexs-cold-war-enter-atombombing/
https://threatpost.com/ta505-servhelper-malware/140792/
1 https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/
1 https://viql.github.io/dridex/
1 https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/
1 https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/
https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/
1 https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf
1 https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/
1 https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware
1 https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html
1 https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/
1 https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/
1 https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps
1 https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem
https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png
2 https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
1 https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/

Credits: MISP Project