TA505 Recent Trends Report 10-06-2021

TA505 Recent Trends Report 10-06-2021

Threat Actor Profile

Threat Actor: TA505

Alias: ATK 103, Chimborazo, Evil Corp, Gold Evergreen, Gold Tahoe, Graceful Spider, Hive0065, SectorJ04, TA 505, TA-505, TA505

Origin: Russia

Description: The threat actor is a well-established financial crime group that has recently focused its operations on ransomware and extortion. The group has been active since 2008. They are notable not for their sophistication, but for the sheer volume of extraordinary messages they send. The group has leveraged a number of malware as part of their campaign, and this also shows their deep connections to underground malware resources. The threat actor is also believed to have an infrastructure that overlaps with other threat actors.

Targeted Countries:  Australia, Canada, Czech Republic, Germany, Hungary, India, Japan, Romania, Serbia, Singapore, South Korea, Spain, Thailand, Turkey, UK, and the US

Targeted Industries: Education, Financial, Healthcare, Hospitality, Restaurants, Retail, Supply Chain

Tools/ Malware: The group has been known to utilize the following tools and malware in their attacks chain
FlowerPippi, Locky Ransomware, AndroMut, GameOver Zeus, Gelup, Dudear, Get2, Bart, Amadey, CryptoLocker, EmailStealer, FlawedGrace, GlobeImposter, Shifu, EmailStealer, TinyMet, Shifu Trojan, SDBbot, Jaff, GameOver Zeus, RMS, Amadey, Dridex, FlawedAmmyy, FlawedAmmy RAT, Bart, Philadelphia, Zeus, Clop Ransomware, FlowerPippi, Dridex Malware, GlobeImposter Ransomware, FlawedGrace, Locky Ransomware, Dudear, CryptoLocker, CryptoMix, RockLoader, Snatch, AndroMut, Pony, Gelup, ServHelper, MINEBRIDGE, Kegotip, Get2, Jaff Ransomware, Neutrino

Motive: Financial Crime, Financial Gains, Espionage

Recent Activity:
The threat actor has launched a new ransomware dubbed Macaw Locker to evade US sanctions that prevent victims from making ransom payments. In two of the attacks, it was observed that the threat actors demanded a 450 bitcoin ransom, about USD 28 million, for one attack and USD 40 million for the other victim. The Macaw Locker seems to have evolved from Wasted Locker ransomware; it encrypts victims’ files and appends the .macaw extension to the file name when launching attacks.

Details of Recent Campaigns

These recent campaigns are tracked by CYFIRMA and are believed to be active during the following time frame:

  1. UNC054 : Jun 6, 2022 – Jun 7, 2022
  2. UNC053 : May 26, 2022 – May 27, 2022
  3. UNC051 : Mar 15, 2022 – May 9, 2022
  4. night blood : May 22, 2021 – Mar 16, 2022
  5. UNC031 : Jan 15, 2022 – Feb 6, 2022

Trends

Out of the 5 campaigns observed by CTI this year – attributed to TA505 – most campaigns were targeted at multiple counties across the globe. Almost all the campaigns targeted multiple nation-states.

TA505 attacked a total of 35 different nations in only 5 campaigns observed by CTI which is unusual when compared to other threat actor groups who often restrict their efforts to geographies of their interest and attack them repeatedly. Further, the campaign UNC054 targeted 29 countries.

The figure below illustrates all the counties which were targeted in these campaigns.

Most Targeted Countries

The following figure illustrates the targeted countries which were subject to the TA505 campaigns.

The United States, Japan, and the United Kingdom have been the top targets for TA505 and were targeted in all the five campaigns.

Most Targeted Technology

The TA505 leveraged vulnerabilities in Web Application, Virtual Private Network Solutions, Application Server Software, and Operating Systems to infiltrate the network and systems of potential victims.

The figure illustrates the technologies that were targeted by the threat actor group during these campaigns. From the trends, it can be observed that exploiting weaknesses in web application-related software and products is the most favoured method by the TA505.

Targeted Industries

From the campaign observed by CTI in 2022, TA505 attacked organizations from more than 25+ industry verticals. The targeted list of industries includes:

  1. Apparel & Luxury Goods
  2. Banks
  3. Chemicals
  4. Construction & Engineering
  5. Construction Materials
  6. Diversified Financial Services
  7. Electronic Equipment
  8. Energy Equipment & Services
  9. Food & Staples Retailing
  10. Government
  11. Health Care Equipment & Supplies
  12. Health Care Technology
  13. Industrial Conglomerates
  14. Instruments & Components
  15. Internet & Direct Marketing Retail
  16. IT Services
  17. Metals & Mining
  18. Personal Products
  19. Real Estate Management & Development
  20. Semiconductors & Semiconductor Equipment
  21. Storage & Peripherals
  22. Technology Hardware
  23. Textiles
  24. Trading Companies & Distributors
  25. Wireless Telecommunication Services

Malware Observed

Below is the list of all the malware used by TA505 in their campaigns.

  1. LockBit Ransomware
  2. Dridex
  3. Clop Ransomware
  4. MirrorBlast
  5. Emotet
  6. Fareit
  7. REvil Ransomware
  8. MineBridge
  9. FlawedAmmy RAT
  10. Zloader

The Dridex malware appears to be the go-to choice for TA505. In the campaign observed by CTI the malware was used in 4 out of 5 campaigns.

Attack Type

All of the observed campaigns carried out by the TA505 involved heavy use of exploiting vulnerabilities in internet-exposed systems or applications and the use of ransomware implants among other malware was also a common tactic.

MITRE ATT&CK TTPs

Insights

CTI has observed Russian cybercriminal groups, such as TA505 and its affiliates, collaborate with and leverage ransomware groups such as Conti, LockBit, REvil, etc. as part of the Ransomware-as-a-Service (RaaS) model. Recently, researchers and law enforcement agencies have correlated TA505 aka Evil Corp leveraging LockBit ransomware under the RaaS model to target organizations.

CYFIRMA has observed TA505 targeting organizations in Critical Infrastructure, Energy, Mining, and Manufacturing industries leveraging potential ransomware such as LockBit for reconnaissance or potential attacks under CYFIRMA tracked campaigns UNC053 and UNC054. These campaigns are suspected to be potential retribution from Russia against nations who have imposed sanctions on them due to the ongoing Russia – Ukraine conflict.

Recommended Actions

  1. Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes
  2. Deploy Zero Trust Policy that leverages tools like security information management, advanced security analytics platforms, security user behaviour analytics, and other analytics systems to help the organization’s security personnel observe in real-time what is happening within their networks so they can orient defences more intelligently.
  3. Facilitate security teams with attack surface management capability for continuous discovery, inventory, classification, prioritization, and security monitoring to gain comprehensive visibility of the enterprise environment.
  4. Emphasize the responsible use of social media platforms, and train the workforce on the amount and nature of information being shared.
  5. Plan periodic Red Team exercises to measure the effectiveness of the people, processes, and security technologies used to defend the environment. Red Team exercise helps organizations to improve security control detection, enhance defensive capabilities, and measure the overall effectiveness of existing security operations.
  6. Perform regular Cyber Benchmarking exercises to benchmark the security performance against industry peers, measure the impact of risk mitigation efforts, and report security progress and results to the Board of Directors more clearly and effectively.
  7. Enable emerging security solutions like deception technology powered with machine learning helps in real-time breach detection and prevention.
  8. Classify and segregate the organization’s business-critical system a.k.a as crown jewels and have a special security monitoring on those assets.
  9. Ensure applications requiring authentication over the internet are protected with multi-factor authentication.
  10. Ensure combination security control such as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout are implemented and adequately strengthened to thwart automated brute-force attacks.
  11. Improve the detection signatures of Intrusion detection and prevention systems with custom rules to monitor and alert network intrusions.
  12. Exert caution when opening email attachments or clicking on embedded links received via email communications.
  13. Update all applications/software regularly with the latest versions and security patches alike.
  14. Deploy an email filter solution that screens based on headers and malicious content (e.g., malicious macros, infected attachments, etc.), categorizes email, inspects Uniform Resource Locators (URLs) against reputation feeds, and has customizable rule-based filters.
  15. Strip and/or block emails containing active content (e.g., ActiveX, Java, Visual Basic for Applications [VBA])or macros by default. Administrators should allowlist such content only for legitimate reasons.
  16. Ensure detection signatures and blocklists are up to date.
  17. Implement warning banners to alert users about emails with links and attachments that originate from outside the organization.