TA505: attacking industries around the world

Minhee Lee (Financial Security Institute) & Daegyu Kang (Financial Security Institute)
partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

partner message

Tired of home office and in urgent need of some networking?

https://www.amtso.org/newsletter/

Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!

Last December, Maastricht University of the Netherlands was infected with the Clop ransomware distributed by TA505 and paid the attackers around €250,000. In November, the attacks of TA505 caused great damage in many companies and institutions in Europe, the United States and Asia, including the University Hospital Center of Rouen in France.

TA505 is an organized crime group that has been active since 2014. It is a threat group that has attacked foreign financial and energy sectors using various malware such as Dridex, Locky ransomware, and TrickBot.

TA505 has the characteristic of executing attacks with a cyber attack life cycle. It sends a large number of spear-phishing emails that are skillfully disguised as bills, resumes, airline tickets, etc. to employees of the target organization to induce infection. Infections on a single corporate PC can lead to multiple PC infections on the corporate network, resulting in the leakage of important corporate information and can result in the large-scale damage of encryption of important business-related files.

Based on the timeline and the information collected for about one year from February 2019, when the attacks of the TA505 began to occur on a large scale, the cyber attacks of the TA505 were intensively analysed and the method of attack was classified. We also discovered where we could infer a relationship between the TA505, which carried out these cyber attacks, and the FIN7 threat group, which carried out US financial information stealing attacks from 2015.

Among the threat groups that target South Korea, the Kimsuky group is primarily aimed at social chaos, surveillance of North Korean defectors and politicians. The Scarcruft group aims to steal and destroy data from famous institutions and political organizations in South Korea. Unlike these two groups, TA505 is a threat group that conducts attacks on companies in order to seize corporate information and gain financial benefits. In addition, unlike ordinary ransomware, which is distributed to a large number of unspecified individuals, TA505 distributes ransomware to companies which are more likely to pay for recovery when their files are encrypted.

First, we will understand the attack TTPs of the TA505 group and analyse the process of changes in the malware and the main code of malware that have been distributed.

Second, the statistics of approximately 610,000 spear-phishing emails will be analysed.

Third, while tracking the IPs used by TA505 as malware distribution and C&C servers, we discovered that these IPs were also used as phishing pages disguised as legitimate sites such as NAVER (a famous portal site in South Korea), Google, Microsoft, Apple, etc.

Fourth, analysis revealed that the TA505 and FIN7 threat groups were very similar in their C&C server IP and the life cycle of the cyber attack, including the malware used at each stage. The results of analysing the relationship between these two groups are described. The attack techniques used by FIN7 and TA505 were classified, and the common techniques used for each type of attack were categorized.

Finally, an analysis of recent trends will be described.

This session will help us respond quickly to attacks from TA505 using the TTPs, IoCs and hunting rules derived from the analysis in this presentation. Also, based on its association with FIN7, future TA505 attacks may be similar to those of FIN7, which may help proactively respond to TA505 attacks.
Minhee Lee
Financial Security Institute Minhee Lee works in threat analysis in the Computer Emergency Analysis Team of the FSI (Financial Security Institute in South Korea). Mainly she analyses ransomware and info-stealer malware distributed to financial sectors. She's also in charge of verifying vulnerabilities received through a bug bounty operated by FSI. Before joining the FSI, she worked in the AhnLab malware analysis team. She's interested in malware analysis, especially deeply analysis of the algorithms used by malware, and in tracking down threat groups. She's the main author of the threat intelligence report "Follow the trail of TA505", published by FSI in 2020.
Dae-Gyu Kang
Financial Security Institute Dae-Gyu Kang works in the Security Operation Center, FSI (Financial Security Institute in South Korea). Dae-Gyu Kang mainly carries out malicious code analysis and research, and completed the K-Shield education hosted by the Korea Internet & Security Agency (KISA). In addition to research on "Adversarial Machine Learning", he recently assisted in analysing and backtracking the TA505 group. Currently, he is conducting security threat research in the DarkWeb while performing network security work in the financial sector.
arrow left Back

TA505: attacking industries around the world

Minhee Lee (Financial Security Institute) & Daegyu Kang (Financial Security Institute)
Last December, Maastricht University of the Netherlands was infected with the Clop ransomware distributed by TA505 and paid the attackers around €250,000. In November, the attacks of TA505 caused great damage in many companies and institutions in Europe, the United States and Asia, including the University Hospital Center of Rouen in France.

TA505 is an organized crime group that has been active since 2014. It is a threat group that has attacked foreign financial and energy sectors using various malware such as Dridex, Locky ransomware, and TrickBot.

TA505 has the characteristic of executing attacks with a cyber attack life cycle. It sends a large number of spear-phishing emails that are skillfully disguised as bills, resumes, airline tickets, etc. to employees of the target organization to induce infection. Infections on a single corporate PC can lead to multiple PC infections on the corporate network, resulting in the leakage of important corporate information and can result in the large-scale damage of encryption of important business-related files.

Based on the timeline and the information collected for about one year from February 2019, when the attacks of the TA505 began to occur on a large scale, the cyber attacks of the TA505 were intensively analysed and the method of attack was classified. We also discovered where we could infer a relationship between the TA505, which carried out these cyber attacks, and the FIN7 threat group, which carried out US financial information stealing attacks from 2015.

Among the threat groups that target South Korea, the Kimsuky group is primarily aimed at social chaos, surveillance of North Korean defectors and politicians. The Scarcruft group aims to steal and destroy data from famous institutions and political organizations in South Korea. Unlike these two groups, TA505 is a threat group that conducts attacks on companies in order to seize corporate information and gain financial benefits. In addition, unlike ordinary ransomware, which is distributed to a large number of unspecified individuals, TA505 distributes ransomware to companies which are more likely to pay for recovery when their files are encrypted.

First, we will understand the attack TTPs of the TA505 group and analyse the process of changes in the malware and the main code of malware that have been distributed.

Second, the statistics of approximately 610,000 spear-phishing emails will be analysed.

Third, while tracking the IPs used by TA505 as malware distribution and C&C servers, we discovered that these IPs were also used as phishing pages disguised as legitimate sites such as NAVER (a famous portal site in South Korea), Google, Microsoft, Apple, etc.

Fourth, analysis revealed that the TA505 and FIN7 threat groups were very similar in their C&C server IP and the life cycle of the cyber attack, including the malware used at each stage. The results of analysing the relationship between these two groups are described. The attack techniques used by FIN7 and TA505 were classified, and the common techniques used for each type of attack were categorized.

Finally, an analysis of recent trends will be described.

This session will help us respond quickly to attacks from TA505 using the TTPs, IoCs and hunting rules derived from the analysis in this presentation. Also, based on its association with FIN7, future TA505 attacks may be similar to those of FIN7, which may help proactively respond to TA505 attacks.
Minhee Lee
Financial Security Institute Minhee Lee works in threat analysis in the Computer Emergency Analysis Team of the FSI (Financial Security Institute in South Korea). Mainly she analyses ransomware and info-stealer malware distributed to financial sectors. She's also in charge of verifying vulnerabilities received through a bug bounty operated by FSI. Before joining the FSI, she worked in the AhnLab malware analysis team. She's interested in malware analysis, especially deeply analysis of the algorithms used by malware, and in tracking down threat groups. She's the main author of the threat intelligence report "Follow the trail of TA505", published by FSI in 2020.
Dae-Gyu Kang
Financial Security Institute Dae-Gyu Kang works in the Security Operation Center, FSI (Financial Security Institute in South Korea). Dae-Gyu Kang mainly carries out malicious code analysis and research, and completed the K-Shield education hosted by the Korea Internet & Security Agency (KISA). In addition to research on "Adversarial Machine Learning", he recently assisted in analysing and backtracking the TA505 group. Currently, he is conducting security threat research in the DarkWeb while performing network security work in the financial sector.