TA505

TA505 is a group of threat actors who specialize in for-profit threats, which they may distribute briefly or over a long-term period. Examples of TA505 attacks include the file-locker Trojan, Bart Ransomware, various banking Trojans, and multiple RATs or Remote Access Trojans. Users can remove TA505 malware with appropriate anti-malware tools and should be careful concerning e-mail interactions that may lead to an attack.

A Gang of Computer Age Larcenists that Just will not Stop

Out of the different threat actors using Black Hat methods of turning crime into a profitable business, TA505 is one of the least likely of having their success disputed. This group of criminals, while not engaged in state-sponsored data exfiltration or sabotage, exhibit a degree of persistence and organization that malware experts, ordinarily, would associate with such operations. After several years of surveillance, TA505 is showing itself responsible for both statistical anomalies in the Dark Web, as well as notable shifts in distribution and attack methodology.

Although most of TA505's infection vectors are e-mail-based, they don't spam random users, but, instead, attack particular industries, such as the banking and retail sectors. These messages use custom templates per attack for convincing workers into opening them, with a high occurrence of corrupted macros for drive-by-download attacks. TA505 uses different Trojan downloaders for many campaigns, although some are recurrent, such as ServHelper.

Some of the more noteworthy, non-loader threats that malware researchers connect to TA505 previously include:

• The FlawedGrace RAT of 2017 with modular support and features ranging from collecting passwords to supposed OS destruction.
• The Bart Ransomware, which holds files for ransom inside of a password-locked ZIP archive.
• The AMMYY RAT, which includes anti-NAT functionality and emphasized compatibility with 32 and 64-bit corporate environments.
• Dridex, a banking Trojan that can hijack your browser and intercept input that's related to banking activities.
• The Globe Imposter Ransomware, a Ransomware-as-a-Service family that imitates its Globe Ransomware competitor.

However, this list only is a limited summary, and one can expect more campaigns in TA505's future activities.

Attacking the Profits of the Cyber-Crime Sector

The regularity with which TA505 updates old threats and adjusts its campaigns with the introduction of new ones is noteworthy for a for-profit enterprise that, presumably, doesn't have a government's overt backing. Changes in the delivery methods they incorporate demonstrate the viability of attacks such as RDP-enabling reverse tunneling, phishing lures like fake PDF plugins on specially-crafted Web pages, and living-off-the-land executables (or LOLbins). Updates are prolific, although the last-stage payload always focuses on gaining backdoor control or generating profit in some way.

In spite of the variety of tools in its kit, TA505 depends on e-mail for making opening contact, in many cases. Workers who are well-informed about fake invoices, workplace faxes, industry-interest articles, and other phishing tactics should spot many infection attempts. No user ever should open an e-mail attachment or link from an unrecognized sender, and enabling macros should only be within circumstances of fully-verified safety. Anti-malware services can remove many TA505 threats but aren't capable of undoing much of the damages, such as password theft, that result from infections necessarily.

TA505 delivers millions upon millions of attacks to different users around the world with the same regularity with which any business performs its usual transactions and activities. However, their victims always have the choice of not doing 'business' with them – by not opening something that is unsafe probably.