TA505  (Back to overview)


TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.


Associated Families
win.andromut win.flawedammyy win.flawedgrace win.locky win.rms win.servhelper win.dridex

References
1 http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html
1 http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html
1 https://adalogics.com/blog/the-state-of-advanced-code-injections
1 https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/
1 https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
1 https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/
1 https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/
1 https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
1 https://blog.yoroi.company/research/ta505-is-expanding-its-operations/
https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/
1 https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/
1 https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf
2 https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf
1 https://github.com/Coldzer0/Ammyy-v3
1 https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/
1 https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/
1 https://securityintelligence.com/dridexs-cold-war-enter-atombombing/
https://threatpost.com/ta505-servhelper-malware/140792/
1 https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/
1 https://viql.github.io/dridex/
1 https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/
1 https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/
https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/
1 https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf
1 https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/
1 https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/
1 https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware
1 https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html
1 https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/
1 https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/
1 https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps
1 https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem
https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png
1 https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat
2 https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505
1 https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat
2 https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
1 https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930
1 https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/
1 https://www.youtube.com/watch?v=N4f2e8Mygag

Credits: MISP Project