TA577

Threat Actor updated 2 months ago (2024-07-09T14:17:37.231Z)
Download STIX
Preview STIX
TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typically starts intrusions by hijacking existing email threads and deceiving victims into interacting with attachments or embedded links. Despite the takedown of QakBot, TA577 has continued its operations, underscoring the persistence of such criminal organizations and highlighting the need for apprehending individuals responsible for illicit activities to truly disrupt such operations. TA577, along with other actors, has been associated with both Qbot and the new malware campaign, Latrodectus. This new strain of malware was first spotted in operations linked to TA577. It's worth noting that while the intrusion attempts by both TA577 and another threat actor, TA578, begin with email delivery, the intermediary steps taken to download Latrodectus samples differ slightly. TA577 also exploited an NTLM Authentication Vulnerability, further demonstrating its evolving threat tactics. By mid-January 2024, TA577 had almost exclusively relied on Latrodectus for its operations, according to a report. However, after these campaigns, the group switched back to using Pikabot. The evolution of TA577's strategies and its resilience even after the takedown of QakBot indicates a persistent and adaptable threat actor. Therefore, it remains crucial for cybersecurity defenses to stay updated and vigilant against these evolving threats.
Description last updated: 2024-07-09T13:20:43.070Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Pikabot
4
PikaBot is a malicious software (malware) known for providing initial access to infected computers, enabling ransomware deployments, remote takeovers, and data theft. It's part of an array of malware families such as IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoader, among others, which have been
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Proofpoint
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
QbotUnspecified
5
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
QakBotUnspecified
4
Qakbot is a type of malware that has been linked to various cybercriminal activities, with its presence first observed as early as 2020. It gained notoriety for its role in the operations of the Black Basta ransomware group, which used Qakbot extensively in sophisticated phishing campaigns. The malw
LatrodectusUnspecified
4
Latrodectus, a new type of malware discovered in late 2023, is being used by Initial Access Brokers (IABs) in email threat campaigns. Initially mistaken for a variant of the well-known IcedID malware due to similar characteristics, researchers at Proofpoint and Team Cymru S2 Threat Research Team hav
IcedIDUnspecified
2
IcedID is a malicious software (malware) that has been linked to various cybercrime operations. The malware can infiltrate systems via suspicious downloads, emails, or websites and proceed to steal personal information, disrupt operations, or hold data for ransom. IcedID has been associated with oth
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
BattleroyalUnspecified
2
BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen
Source Document References
Information about the TA577 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Recorded Future
2 months ago
2023 Adversary Infrastructure Report | Recorded Future
Pulsedive
3 months ago
Pulsedive Blog | Latrodectus Threat Research
InfoSecurity-magazine
5 months ago
New Malware “Latrodectus” Linked to IcedID
BankInfoSecurity
5 months ago
Sophisticated Latrodectus Malware Linked to 2017 Strain
DARKReading
5 months ago
Latrodectus Downloader Picks Up Where QBot Left Off
CERT-EU
6 months ago
New Email Scam Targets NTLM Hashes in Covert Data Theft Operation
CERT-EU
6 months ago
Cyber Security Week in Review: March 8, 2024
CERT-EU
6 months ago
Hackers steal Windows NTLM authentication hashes in phishing attacks
CERT-EU
6 months ago
TA577 Exploits NTLM Authentication Vulnerability
CERT-EU
8 months ago
Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware
Recorded Future
8 months ago
2023 Adversary Infrastructure Report | Recorded Future
CSO Online
a year ago
Researchers warn of two new variants of potent IcedID malware loader
CERT-EU
10 months ago
DarkGate Gained Popularity for its Covert Nature and Antivirus Evasion
CERT-EU
9 months ago
'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
DARKReading
9 months ago
'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick
Malwarebytes
9 months ago
PikaBot distributed via malicious search ads | Malwarebytes
Malware-traffic-analysis.net
a year ago
Malware-Traffic-Analysis.net - 2023-10-16 - TA577 IcedID (Bokbot) infection
Malware-traffic-analysis.net
a year ago
Malware-Traffic-Analysis.net - 2023-05-24 - Bye bye Pikabot... We're back to Qak! (obama264 Qakbot infection)