>samit_hota
Back to adversary profiles
G0092CriticalActive

TA505 Threat Profile: An Evolving and Persistent Cybercrime Syndicate

Samit Hota·
Suspected Origin
Russia or former Soviet states
Motivation
Financial Gain, Ransomware-as-a-Service (RaaS), Initial Access Brokering
Aliases
Hive0065, Spandex Tempest, CHIMBORAZO
Target Sectors
Financial, Healthcare, Government, Education, Retail, Supply Chain, Energy, Manufacturing, Hospitality, Aerospace, Pharmaceuticals
Associated Malware
Dridex, Clop, Locky, FlawedAmmyy, FlawedGrace, SDBbot, Get2, Amadey, Trickbot, GlobeImposter, Philadelphia, Jaff, Bart, Shifu, TinyMet, Cobalt Strike, Azorult, EmailStealer, Quant Loader, DreamSmasher, GandCrab, ServHelper, TrueBot, Macaw Locker, MirrorBlast, KiXtart Loader, AndroMut, Pony, Neutrino, Rockloader, Gelup, MINEBRIDGE, Kegotip, CryptoLocker, CryptoMix, Snatch, REvil, Hive, LockBit
#threat-actor#g0092

Overview

TA505, tracked by MITRE ATT&CK as G0092, is a highly prolific and adaptive cybercrime group that has been actively operating since at least 2014, with some intelligence suggesting its origins date back to 2006. Operating primarily out of Russia or former Soviet states, including Commonwealth of Independent States (CIS) countries, TA505 is unequivocally driven by financial gain. This group distinguishes itself through its consistent innovation, rapidly shifting its tactics, techniques, and procedures (TTPs), and frequently cycling through a vast arsenal of malware. Over the years, TA505 has emerged as a significant trendsetter in global criminal malware distribution, often leading with new attack vectors or payloads that other groups subsequently adopt.

Initially gaining notoriety for widespread banking Trojan campaigns, TA505 has evolved to become a prominent player in the ransomware-as-a-service (RaaS) ecosystem, operating its own Clop ransomware and functioning as an initial access broker (IAB) for other threat actors. Their operational model often involves compromising corporate networks, conducting reconnaissance, and then selling that access to other malicious groups, while also engaging in “Big Game Hunting” ransomware operations directly. The group’s extensive reach means they target organizations globally across a wide array of sectors, generally avoiding targets within CIS nations.

Tactics & Techniques

TA505’s operational success stems from its methodical approach to compromise and monetization, characterized by a constantly evolving set of tactics and techniques. Initial access frequently begins with high-volume, well-crafted spear-phishing or malspam campaigns. These emails often employ deceptive lures, such as fake invoices, HR notices, banking alerts, or shipping notifications, and contain malicious attachments or links. Attachments vary widely, including malicious Microsoft Office documents (Excel or Word with macros), HTML files, password-protected documents, ISO files containing LNK files, and JavaScript or VBScript files.

Beyond social engineering, TA505 has demonstrated a sophisticated capability for exploiting zero-day vulnerabilities in widely used enterprise software. Notably, they have targeted vulnerabilities in Accellion File Transfer Appliance (FTA) devices (2019-2020), Fortra/Linoma GoAnywhere MFT servers (early 2023), and Progress Software’s MOVEit Transfer solution (May 2023 onwards). These exploits allow them to gain initial access, often deploying web shells like LEMURLOOT for persistent access and data exfiltration.

Once initial access is established, TA505 deploys various downloaders, such as Get2 or AndroMut, to fetch subsequent payloads. They frequently utilize remote access Trojans (RATs) like FlawedAmmyy, FlawedGrace, SDBbot, or ServHelper for persistence, reconnaissance, and command and control (C2). For execution, they leverage legitimate Windows processes and “living off the land” binaries (LOLbins) like msiexec.exe, rundll32.exe, powershell.exe, and cmd.exe to download and execute malicious code, often obscured with base64 encoding.

The group is adept at defense evasion, using custom packers, UPX compression, and even disabling Windows Defender through Registry modifications. For internal reconnaissance and lateral movement, they employ tools like AdFind, BloodHound, Mimikatz, PowerSploit, and TinyMet to enumerate privileged groups or gather credentials. They have also been observed using internal Remote Desktop Protocol (RDP) for lateral movement and stealing credentials from applications like FTP clients and Outlook. Data exfiltration is a critical phase, conducted rapidly, sometimes utilizing tools like PuTTY SFTP client or web shells. Their ultimate impact is often the deployment of ransomware or data extortion via dedicated leak sites.

Notable Campaigns

TA505’s operational history is marked by several high-profile and impactful campaigns that illustrate their adaptive nature. In 2016-2017, the group was responsible for mass-scale distribution of Locky ransomware through extensive phishing operations. They continued to drive trends, introducing new ransomware strains like Jaff, Bart, Philadelphia, and GlobeImposter into their malicious spam campaigns.

A significant shift occurred around 2019-2020 when TA505 began focusing heavily on targeted ransomware attacks, particularly with the Clop ransomware strain. This period saw them exploit vulnerabilities in Accellion FTA devices. Notable incidents during this time included the infection of Maastricht University in December 2019, which led to a €250,000 ransom payment, and attacks impacting the University Hospital Center of Rouen in France.

TA505 continued its zero-day exploitation strategy into 2023, with attacks leveraging vulnerabilities in Fortra/Linoma GoAnywhere MFT servers in early 2023. Most recently, beginning in May 2023, the group launched an extensive campaign exploiting multiple zero-day vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708, CVE-2023-36932, CVE-2023-36933, CVE-2023-36934) in Progress Software’s MOVEit Transfer managed file transfer solution. This campaign impacted numerous organizations globally, including several U.S. government agencies, resulting in widespread data theft and subsequent Clop ransomware deployment or extortion threats via their dedicated leak site.

Beyond these major ransomware campaigns, TA505 has consistently conducted broad malicious email campaigns, such as those observed in September-October 2021, which distributed updated versions of FlawedGrace and new loaders like KiXtart and MirrorBlast, targeting diverse industries across North America and German-speaking countries. The group has also been known to capitalize on current events, like the COVID-19 pandemic, and leverage critical vulnerabilities such as ZeroLogon in their attacks.

Associated Malware & Tools

TA505’s ability to consistently evolve is mirrored in its diverse and frequently updated malware and toolset. The group has been associated with numerous banking Trojans and information stealers, including the infamous Dridex, Shifu, Trickbot, Zeus, Pony, Azorult, and EmailStealer.

Their ransomware operations have utilized a broad spectrum of strains, such as Clop (their primary ransomware), Locky, Jaff, Bart, Philadelphia, GlobeImposter, GandCrab, Macaw Locker, CryptoLocker, CryptoMix, Snatch, Rapid, and DoppelPaymer. Furthermore, TA505 functions within a Ransomware-as-a-Service (RaaS) model, having been observed operating as an affiliate or developer for other prominent ransomware groups like LockBit, Hive, and REvil.

For remote access and post-exploitation activities, TA505 relies on a suite of RATs and backdoors. These include FlawedAmmyy, FlawedGrace, SDBbot, Get2 (often serving as a loader for SDBbot), ServHelper, TinyMet, and Remote Manipulator System (RMS). The group employs various loaders and downloaders in their initial infection chains, such as AndroMut, Get2, Quant Loader, Lerspeng, MirrorBlast, KiXtart Loader, Rockloader, Gelup, MINEBRIDGE, Kegotip, and Dudear.

Beyond custom malware, TA505 integrates commercially available penetration testing and administrative tools into its operations. These include Cobalt Strike for beaconing and command execution, and utilities like AdFind, BloodHound, Mimikatz, and PowerSploit for reconnaissance and privilege escalation. They also deploy web shells such as LEMURLOOT to maintain access to compromised web servers. The group is known to employ custom packers to evade detection.

Current Status

TA505 remains a highly active and enduring threat group. As of mid-2023, the Canadian Centre for Cyber Security assessed that TA505 would very likely continue to pose a significant threat to organizations internationally into 2024 and beyond. Their persistent exploitation of zero-day vulnerabilities, most notably the MOVEit Transfer campaign in May 2023, underscores their ongoing capability and intent to conduct large-scale, impactful operations.

While there’s a possibility of temporary pauses in ransomware operations to evade law enforcement pressure, TA505 is expected to continue utilizing its proprietary Clop ransomware and consistently develop new TTPs. The group’s operational structure resembles that of a sophisticated enterprise, with significant investments in research and development to secure the best tools and expertise. Their dual role as both a direct ransomware operator and a major initial access broker for other cybercriminal syndicates ensures their continued relevance and influence within the global threat landscape. Organizations across all sectors should anticipate sustained threats from TA505 and remain vigilant against their constantly evolving attack methodologies.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call