TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. [1] The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. [2]

ID: G0127
Associated Groups: GOLD CABIN, Shathak
Contributors: Shuhei Sasada, Cyber Defense Institute, Inc; Ryo Tamura, SecureBrain Corporation; Shotaro Hamamoto, NEC Solution Innovators, Ltd; Yusuke Niwa, ITOCHU Corporation; Takuma Matsumoto, LAC Co., Ltd
Version: 1.1
Created: 19 March 2021
Last Modified: 30 September 2021

Associated Group Descriptions

Name Description
GOLD CABIN

[1]

Shathak

[3][2]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TA551 has used HTTP for C2 communications.[3]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

TA551 has used cmd.exe to execute commands.[2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

TA551 has used encoded ASCII text for initial C2 communications.[3]

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

TA551 has used a DGA to generate URLs from executed macros.[2][1]

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

TA551 has used spoofed company emails that were acquired from email clients on previously infected hosts to target other individuals.[2]

Enterprise T1105 Ingress Tool Transfer

TA551 has retrieved DLLs and installer binaries for malware execution from C2.[2]

Enterprise T1036 Masquerading

TA551 has masked malware DLLs as dat and jpg files.[2]

Enterprise T1027 Obfuscated Files or Information

TA551 has used obfuscated variable names in a JavaScript configuration file.[3]

.003 Steganography

TA551 has hidden encoded data for malware DLLs in a PNG.[2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA551 has sent spearphishing attachments with password protected ZIP files.[3][2][1]

Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

TA551 has used mshta.exe to execute malicious payloads.[2]

.010 Signed Binary Proxy Execution: Regsvr32

TA551 has used regsvr32.exe to load malicious DLLs.[3]

.011 Signed Binary Proxy Execution: Rundll32

TA551 has used rundll32.exe to load malicious DLLs.[2]

Enterprise T1204 .002 User Execution: Malicious File

TA551 has prompted users to enable macros within spearphishing attachments to install malware.[2]

Software

ID Name References Techniques
S0483 IcedID [4][3][2][1] Account Discovery: Domain Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Command and Scripting Interpreter: Visual Basic, Encrypted Channel: Asymmetric Cryptography, Ingress Tool Transfer, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information: Steganography, Permission Groups Discovery, Phishing: Spearphishing Attachment, Process Injection: Asynchronous Procedure Call, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Msiexec, System Information Discovery, User Execution: Malicious File, Windows Management Instrumentation
S0650 QakBot [5] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Brute Force, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: PowerShell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Dynamic Resolution: Domain Generation Algorithms, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Peripheral Device Discovery, Permission Groups Discovery: Local Groups, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Process Injection: Process Hollowing, Protocol Tunneling, Proxy: External Proxy, Remote System Discovery, Replication Through Removable Media, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Rundll32, Signed Binary Proxy Execution: Msiexec, Signed Binary Proxy Execution: Regsvr32, Software Discovery: Security Software Discovery, Software Discovery, Steal Web Session Cookie, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Network Connections Discovery, System Owner/User Discovery, System Time Discovery, User Execution: Malicious Link, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Virtualization/Sandbox Evasion: Time Based Evasion, Windows Management Instrumentation
S0386 Ursnif [4][3][2][1] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Create or Modify System Process: Windows Service, Data Encoding, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Exfiltration Over C2 Channel, Hide Artifacts: Hidden Window, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Credential API Hooking, Inter-Process Communication: Component Object Model, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Obfuscated Files or Information, Process Discovery, Process Injection: Thread Local Storage, Process Injection: Process Hollowing, Proxy, Proxy: Multi-hop Proxy, Query Registry, Replication Through Removable Media, Screen Capture, System Information Discovery, System Service Discovery, Taint Shared Content, Virtualization/Sandbox Evasion: Time Based Evasion, Windows Management Instrumentation
S0476 Valak [4][3][2][1] Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Automated Collection, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript, Credentials from Password Stores: Windows Credential Manager, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Email Collection: Remote Email Collection, Exfiltration Over C2 Channel, Fallback Channels, Hide Artifacts: NTFS File Attributes, Ingress Tool Transfer, Inter-Process Communication: Dynamic Data Exchange, Modify Registry, Multi-Stage Channels, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Process Discovery, Query Registry, Scheduled Task/Job: Scheduled Task, Screen Capture, Signed Binary Proxy Execution: Regsvr32, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Unsecured Credentials: Credentials in Registry, User Execution: Malicious File, Windows Management Instrumentation

References