RUG0092
TA505TA505
Also known as: SectorJ04 · SectorJ04 Group · GRACEFUL SPIDER · GOLD TAHOE · Dudear · G0092 · ATK103 · Hive0065 · CHIMBORAZO · Spandex Tempest · TA505
Origin
RU
Known aliases
11
Target sectors
5
Profile
TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.
Aliases· 11
SectorJ04SectorJ04 GroupGRACEFUL SPIDERGOLD TAHOEDudearATK103Hive0065CHIMBORAZOSpandex TempestTA505
Target sectors· 5
EducationFinanceHealthRetailHospitality
Known victims· 16
- Australia
- Canada
- Czech Republic
- Germany
- Hungary
- India
- Japan
- Romania
- Serbia
- Singapore
- South Korea
- Spain
MITRE ATT&CK Group crosswalk
Compliance frameworks testing this (incoming)7
| Type | Target | Confidence | Tier |
|---|---|---|---|
| ComplianceControl | tiber_eu-closure | 100% | live |
| ComplianceControl | pci_dss_v4-r6 | 100% | live |
| ComplianceControl | tiber_eu-testing | 100% | live |
| ComplianceControl | ai_act-art73 | 100% | live |
| ComplianceControl | ai_act-art9 | 100% | live |
| ComplianceControl | cra-art14 | 100% | live |
| ComplianceControl | pci_dss_v4-r7 | 100% | live |
References
- https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/
- https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
- https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware
- https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf
- https://threatpost.com/ta505-servhelper-malware/140792/
- https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/
- https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.