1. Home
  2. Groups
  3. TA551

TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. [1] The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. [2]

ID: G0127
Associated Groups: GOLD CABIN, Shathak
Contributors: Shuhei Sasada, Cyber Defense Institute, Inc; Ryo Tamura, SecureBrain Corporation; Shotaro Hamamoto, NEC Solution Innovators, Ltd; Yusuke Niwa, ITOCHU Corporation; Takuma Matsumoto, LAC Co., Ltd
Version: 1.1
Created: 19 March 2021
Last Modified: 30 September 2021

Associated Group Descriptions

Name Description
GOLD CABIN

[1]
Shathak

[3][2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TA551 has used HTTP for C2 communications.[3]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

TA551 has used cmd.exe to execute commands.[2]
Enterprise T1132 .001 Data Encoding: Standard Encoding

TA551 has used encoded ASCII text for initial C2 communications.[3]
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

TA551 has used a DGA to generate URLs from executed macros.[2][1]
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

TA551 has used spoofed company emails that were acquired from email clients on previously infected hosts to target other individuals.[2]
Enterprise T1105 Ingress Tool Transfer

TA551 has retrieved DLLs and installer binaries for malware execution from C2.[2]
Enterprise T1036 Masquerading

TA551 has masked malware DLLs as dat and jpg files.[2]
Enterprise T1027 Obfuscated Files or Information

TA551 has used obfuscated variable names in a JavaScript configuration file.[3]
.003 Steganography

TA551 has hidden encoded data for malware DLLs in a PNG.[2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA551 has sent spearphishing attachments with password protected ZIP files.[3][2][1]
Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

TA551 has used mshta.exe to execute malicious payloads.[2]
.010 Signed Binary Proxy Execution: Regsvr32

TA551 has used regsvr32.exe to load malicious DLLs.[3]
.011 Signed Binary Proxy Execution: Rundll32

TA551 has used rundll32.exe to load malicious DLLs.[2]
Enterprise T1204 .002 User Execution: Malicious File

TA551 has prompted users to enable macros within spearphishing attachments to install malware.[2]

Software

ID Name References Techniques
S0483 IcedID [4][3][2][1] Account Discovery: Domain Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Command and Scripting Interpreter: Visual Basic, Encrypted Channel: Asymmetric Cryptography, Ingress Tool Transfer, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information: Steganography, Permission Groups Discovery, Phishing: Spearphishing Attachment, Process Injection: Asynchronous Procedure Call, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Msiexec, System Information Discovery, User Execution: Malicious File, Windows Management Instrumentation
S0650 QakBot [5] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Brute Force, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: PowerShell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Dynamic Resolution: Domain Generation Algorithms, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Peripheral Device Discovery, Permission Groups Discovery: Local Groups, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Process Injection: Process Hollowing, Protocol Tunneling, Proxy: External Proxy, Remote System Discovery, Replication Through Removable Media, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Rundll32, Signed Binary Proxy Execution: Msiexec, Signed Binary Proxy Execution: Regsvr32, Software Discovery: Security Software Discovery, Software Discovery, Steal Web Session Cookie, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Network Connections Discovery, System Owner/User Discovery, System Time Discovery, User Execution: Malicious Link, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Virtualization/Sandbox Evasion: Time Based Evasion, Windows Management Instrumentation
S0386 Ursnif [4][3][2][1] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Create or Modify System Process: Windows Service, Data Encoding, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Exfiltration Over C2 Channel, Hide Artifacts: Hidden Window, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Credential API Hooking, Inter-Process Communication: Component Object Model, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Obfuscated Files or Information, Process Discovery, Process Injection: Thread Local Storage, Process Injection: Process Hollowing, Proxy, Proxy: Multi-hop Proxy, Query Registry, Replication Through Removable Media, Screen Capture, System Information Discovery, System Service Discovery, Taint Shared Content, Virtualization/Sandbox Evasion: Time Based Evasion, Windows Management Instrumentation
S0476 Valak [4][3][2][1] Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Automated Collection, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript, Credentials from Password Stores: Windows Credential Manager, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Email Collection: Remote Email Collection, Exfiltration Over C2 Channel, Fallback Channels, Hide Artifacts: NTFS File Attributes, Ingress Tool Transfer, Inter-Process Communication: Dynamic Data Exchange, Modify Registry, Multi-Stage Channels, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Process Discovery, Query Registry, Scheduled Task/Job: Scheduled Task, Screen Capture, Signed Binary Proxy Execution: Regsvr32, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Unsecured Credentials: Credentials in Registry, User Execution: Malicious File, Windows Management Instrumentation

References

  1. Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.
  2. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  3. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  1. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  2. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.