TA505

Threat Actor updated 6 months ago (2024-05-04T20:17:40.039Z)
Download STIX
Preview STIX
TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersecurity and Infrastructure Agency (CISA) estimated that TA505 had compromised more than 3,000 US-based organizations and approximately 8,000 victims globally. This group has leveraged CL0P ransomware in its attacks and has exploited zero-day vulnerabilities such as the MOVEit exploit, emphasizing the need for enhanced cybersecurity measures. The group's recent campaigns have involved the use of Get2, a new downloader malware written in C++, and SDBbot, a new remote access Trojan (RAT) also written in C++ and delivered by the Get2 downloader. These campaigns culminated with the deployment of Get2 and SDBbot in September and October of 2019. Furthermore, TA505 has been linked to other criminal hacking groups like BeagleBoyz, potentially contracting them for initial access development. In addition to its own activities, TA505 has been associated with Raspberry Robin, a popular initial access option for threat actors contributing to major breaches of public and private sector organizations. Other crime groups associated with Raspberry Robin include EvilCorp, among others. This malware acts as an initial access broker for these groups, continually shifting its delivery methods and improving its stealthiness. Therefore, understanding TA505's operations and affiliations is crucial for developing effective defenses against this significant cyber threat.
Description last updated: 2024-05-04T16:08:43.607Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Clop is a possible alias for TA505. Clop, also known as Cl0p, is a ransomware group primarily targeting financial gain by holding data or services hostage. This Russian-speaking cybercriminal organization began exploiting a zero-day vulnerability, CVE-2023-34362, in Progress Software's MOVEit secure file transfer software on May 27, 2
9
fin11 is a possible alias for TA505. FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after ste
5
CVE-2023-34362 is a possible alias for TA505. CVE-2023-34362 is a critical software vulnerability found in Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. This flaw was an SQL injection vulnerability that allowed for escalated privileges and unauthorized access. The vulnerability became active on May 27, 2023, when it
4
Truebot is a possible alias for TA505. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dow
3
cl0p is a possible alias for TA505. Cl0p is a threat actor group that has emerged as the most used ransomware in March 2023, dethroning LockBit. The group has successfully exploited zero-day vulnerabilities in the past, but such attacks are relatively rare. Recent research by Malwarebytes highlights the bias of ransomware gangs for at
3
Lace Tempest is a possible alias for TA505. Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi
3
Snakefly is a possible alias for TA505. Snakefly, also known as FIN11 and TA505, is a threat actor known for its malicious activities primarily aimed at organizations in North America and Europe. The group is financially motivated and has been active since at least early 2019. Snakefly is particularly associated with the deployment of Cl0
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
exploitation
Moveit
Zero Day
Exploit
Payload
Phishing
Mft
Cybercrime
Microsoft
Trojan
Vulnerability
Cobalt Strike
CISA
exploited
Extortion
Rat
Backdoor
Web Shell
Ransom
Papercut
Exploits
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Get2 Malware is associated with TA505. Get2 is a type of malware, harmful software designed to infiltrate and damage computer systems or devices. It can be unknowingly downloaded through suspicious emails, downloads, or websites, enabling it to steal personal information, disrupt operations, or hold data hostage for ransom. Among the mosUnspecified
4
The FlawedGrace Malware is associated with TA505. FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, TrueboUnspecified
4
The Dridex Malware is associated with TA505. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group taUnspecified
4
The Lobshot Malware is associated with TA505. Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded inUnspecified
3
The truebot malware Malware is associated with TA505. Truebot malware is a malicious software that infiltrates computer systems, often without the user's knowledge, to exploit and damage the device. It was primarily delivered by cyber threat actors via malicious phishing email attachments, but newer versions observed in 2023 also gained initial access Unspecified
2
The Dewmode Malware is associated with TA505. DEWMODE is a malicious web shell malware, written in PHP, designed to interact with MySQL databases and specifically target Accellion FTA devices. It operates by infiltrating the compromised network and exfiltrating data. During 2020-2021, threat actor group TA505 exploited several zero-day vulnerabUnspecified
2
The Sdbot Malware is associated with TA505. SDBot is a malicious software, or malware, that has been leveraged by threat actors known as TA505 and CL0P to exploit vulnerabilities in computer systems. It is used as a backdoor to enable the execution of commands and functions in the compromised computer, often without the user's knowledge. The Unspecified
2
The Raspberry Robin Malware is associated with TA505. Raspberry Robin is a sophisticated piece of malware that uses a variety of tactics to infiltrate and exploit computer systems. It employs the CPUID instruction to conduct several checks, enabling it to assess the system's characteristics and vulnerabilities. Furthermore, Raspberry Robin has been obsUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Evil Corp Threat Actor is associated with TA505. Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybeUnspecified
4
The FIN7 Threat Actor is associated with TA505. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2023-27351 is associated with TA505. Unspecified
2
The CVE-2023-27350 Vulnerability is associated with TA505. CVE-2023-27350 represents a significant software vulnerability in PaperCut MF/NG, identified as an improper access control flaw. This weakness allows attackers to bypass authentication processes, providing them with the ability to execute code with system privileges. The vulnerability was first updaUnspecified
2
Source Document References
Information about the TA505 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
9 months ago
Checkpoint
9 months ago
Checkpoint
9 months ago
Unit42
9 months ago
CERT-EU
10 months ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago