TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.
1
http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html
|
1
http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html
|
1
https://adalogics.com/blog/the-state-of-advanced-code-injections
|
1
https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/
|
1
https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
|
1
https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/
|
1
https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/
|
2
https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/
|
1
https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
|
1
https://blog.yoroi.company/research/ta505-is-expanding-its-operations/
|
https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/
|
1
https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/
|
1
https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf
|
2
https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf
|
1
https://github.com/Coldzer0/Ammyy-v3
|
1
https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/
|
1
https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/
|
2
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
|
1
https://securityintelligence.com/dridexs-cold-war-enter-atombombing/
|
https://threatpost.com/ta505-servhelper-malware/140792/
|
2
https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/
|
1
https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/
|
1
https://viql.github.io/dridex/
|
1
https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/
|
1
https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/
|
https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/
|
1
https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf
|
1
https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/
|
1
https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/
|
1
https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware
|
1
https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html
|
1
https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/
|
1
https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/
|
1
https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps
|
1
https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem
|
https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png
|
1
https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat
|
2
https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505
|
1
https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat
|
2
https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south
|
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
|
1
https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930
|
1
https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/
|
1
https://www.youtube.com/watch?v=N4f2e8Mygag
|