TA505  (Back to overview)

aka: SectorJ04 Group

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.


Associated Families
win.andromut win.dridex win.flawedammyy win.flawedgrace win.locky win.rms win.servhelper

References
1 http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html
1 http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html
1 https://adalogics.com/blog/the-state-of-advanced-code-injections
1 https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/
1 https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
1 https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/
1 https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/
2 https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/
1 https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
1 https://blog.yoroi.company/research/ta505-is-expanding-its-operations/
https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/
1 https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/
1 https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf
2 https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf
1 https://github.com/Coldzer0/Ammyy-v3
1 https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/
1 https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/
2 https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
1 https://securityintelligence.com/dridexs-cold-war-enter-atombombing/
https://threatpost.com/ta505-servhelper-malware/140792/
2 https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/
1 https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/
1 https://viql.github.io/dridex/
1 https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/
1 https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/
https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/
1 https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf
1 https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/
1 https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/
1 https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware
1 https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html
1 https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/
1 https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/
1 https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps
1 https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem
https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png
1 https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat
2 https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505
1 https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat
2 https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
1 https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930
1 https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/
1 https://www.youtube.com/watch?v=N4f2e8Mygag

Credits: MISP Project