Thanks to visit codestin.com
Credit goes to attack.mitre.org

  1. Home
  2. Groups
  3. TA577

TA577

TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023.[1]

ID: G1037
Version: 1.0
Created: 17 September 2024
Last Modified: 17 September 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

TA577 has used BAT files in malware execution chains.[1]
.007 Command and Scripting Interpreter: JavaScript

TA577 has used JavaScript to execute additional malicious payloads.[1]
Enterprise T1586 .002 Compromise Accounts: Email Accounts

TA577 has sent thread hijacked messages from compromised emails.[1]
Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

TA577 has used LNK files to execute embedded DLLs.[1]
Enterprise T1566 .002 Phishing: Spearphishing Link

TA577 has sent emails containing links to malicious JavaScript files.[1]
Enterprise T1204 .001 User Execution: Malicious Link

TA577 has lured users into executing malicious JavaScript files by sending malicious links via email.[1]

Software

ID Name References Techniques
S1160 Latrodectus [1] Account Discovery: Domain Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: JavaScript, Data Encoding: Standard Encoding, Data from Local System, Debugger Evasion, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: NTFS File Attributes, Indicator Removal: File Deletion, Ingress Tool Transfer, Inter-Process Communication: Component Object Model, Masquerading: Match Legitimate Resource Name or Location, Multi-Stage Channels, Native API, Network Share Discovery, Obfuscated Files or Information: Dynamic API Resolution, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Encrypted/Encoded File, Permission Groups Discovery: Domain Groups, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Process Discovery, Remote Services: VNC, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Rundll32, System Binary Proxy Execution: Msiexec, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Shutdown/Reboot, User Execution: Malicious Link, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Web Service, Windows Management Instrumentation
S1145 Pikabot [1] Account Discovery: Local Account, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Debugger Evasion, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Environmental Keying, Exfiltration Over C2 Channel, Native API, Non-Standard Port, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information: Steganography, Obfuscated Files or Information: Embedded Payloads, Process Injection: Thread Execution Hijacking, Process Injection: Portable Executable Injection, Reflective Code Loading, System Information Discovery, System Network Configuration Discovery, Virtualization/Sandbox Evasion: System Checks
S0650 QakBot [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Brute Force, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Dynamic Resolution: Domain Generation Algorithms, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade File Type, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information: HTML Smuggling, Obfuscated Files or Information: Command Obfuscation, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Software Packing, Peripheral Device Discovery, Permission Groups Discovery: Local Groups, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: External Proxy, Remote System Discovery, Replication Through Removable Media, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, Software Discovery, Steal Web Session Cookie, Subvert Trust Controls: Code Signing, Subvert Trust Controls: Mark-of-the-Web Bypass, System Binary Proxy Execution: Regsvr32, System Binary Proxy Execution: Msiexec, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Time Discovery, User Execution: Malicious Link, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Virtualization/Sandbox Evasion: Time Based Evasion, Windows Management Instrumentation

References

  1. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.