TA577

TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023.^[1]

ID: G1037

Version: 1.0

Created: 17 September 2024

Last Modified: 17 September 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	命令与脚本解释器: Windows Command Shell	TA577 has used BAT files in malware execution chains.^[1]
		.007	命令与脚本解释器: JavaScript	TA577 has used JavaScript to execute additional malicious payloads.^[1]
Enterprise	T1027	.009	混淆文件或信息: Embedded Payloads	TA577 has used LNK files to execute embedded DLLs.^[1]
Enterprise	T1204	.001	用户执行: Malicious Link	TA577 has lured users into executing malicious JavaScript files by sending malicious links via email.^[1]
Enterprise	T1586	.002	账号妥协: Email Accounts	TA577 has sent thread hijacked messages from compromised emails.^[1]
Enterprise	T1566	.002	钓鱼: Spearphishing Link	TA577 has sent emails containing links to malicious JavaScript files.^[1]

Software

ID	Name	References	Techniques
S1160	Latrodectus	^[1]	Windows管理规范, 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: JavaScript, 域信任发现, 多阶段信道, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 权限组发现: Domain Groups, 混淆文件或信息: Dynamic API Resolution, 混淆文件或信息: Software Packing, 混淆文件或信息: Binary Padding, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious Link, 用户执行: Malicious File, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统二进制代理执行: Msiexec, 系统信息发现, 系统关机/重启, 系统所有者/用户发现, 系统网络配置发现, 网络共享发现, 网络服务, 虚拟化/沙盒规避: System Checks, 调试器规避, 账号发现: Domain Account, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 进程间通信: Component Object Model, 远程服务: VNC, 通过C2信道渗出, 钓鱼: Spearphishing Attachment, 钓鱼: Spearphishing Link, 隐藏伪装: NTFS File Attributes, 预定任务/作业: Scheduled Task
S1145	Pikabot	^[1]	加密通道: Symmetric Cryptography, 反射性代码加载, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 域信任发现, 执行保护: Environmental Keying, 数据编码: Standard Encoding, 本机API, 混淆文件或信息: Fileless Storage, 混淆文件或信息: Steganography, 混淆文件或信息: Embedded Payloads, 系统信息发现, 系统网络配置发现, 虚拟化/沙盒规避: System Checks, 调试器规避, 账号发现: Local Account, 进程注入: Thread Execution Hijacking, 进程注入: Portable Executable Injection, 通过C2信道渗出, 非标准端口
S0650	QakBot	^[1]	Windows管理规范, 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 代理: External Proxy, 伪装: Masquerade File Type, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 动态解析: Domain Generation Algorithms, 劫持执行流: DLL Side-Loading, 协议隧道, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 域信任发现, 外围设备发现, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 应用窗口发现, 数据分段: Local Data Staging, 数据编码: Standard Encoding, 文件和目录发现, 暴力破解, 本机API, 权限组发现: Local Groups, 浏览器会话劫持, 混淆文件或信息: Binary Padding, 混淆文件或信息: Fileless Storage, 混淆文件或信息: HTML Smuggling, 混淆文件或信息: Command Obfuscation, 混淆文件或信息, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息: Software Packing, 用户执行: Malicious Link, 用户执行: Malicious File, 电子邮件收集: Local Email Collection, 移除指标: File Deletion, 窃取Web会话Cookie, 系统二进制代理执行: Regsvr32, 系统二进制代理执行: Msiexec, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络连接发现, 系统网络配置发现: Internet Connection Discovery, 系统网络配置发现, 网络共享发现, 虚拟化/沙盒规避: System Checks, 虚拟化/沙盒规避: Time Based Evasion, 软件发现: Security Software Discovery, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Process Hollowing, 进程注入, 远程服务漏洞利用, 远程系统发现, 通过C2信道渗出, 通过可移动媒体复制, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Files and Directories, 非应用层协议, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing, 颠覆信任控制: Mark-of-the-Web Bypass

References

Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.