TA577

Threat Actor Profile Updated 5 days ago
Download STIX
Preview STIX
TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typically starts intrusions by hijacking existing email threads and deceiving victims into interacting with attachments or embedded links. Despite the takedown of QakBot, TA577 has continued its operations, underscoring the persistence of such criminal organizations and highlighting the need for apprehending individuals responsible for illicit activities to truly disrupt such operations. TA577, along with other actors, has been associated with both Qbot and the new malware campaign, Latrodectus. This new strain of malware was first spotted in operations linked to TA577. It's worth noting that while the intrusion attempts by both TA577 and another threat actor, TA578, begin with email delivery, the intermediary steps taken to download Latrodectus samples differ slightly. TA577 also exploited an NTLM Authentication Vulnerability, further demonstrating its evolving threat tactics. By mid-January 2024, TA577 had almost exclusively relied on Latrodectus for its operations, according to a report. However, after these campaigns, the group switched back to using Pikabot. The evolution of TA577's strategies and its resilience even after the takedown of QakBot indicates a persistent and adaptable threat actor. Therefore, it remains crucial for cybersecurity defenses to stay updated and vigilant against these evolving threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Pikabot
4
PikaBot is a harmful malware that emerged in 2023, designed to exploit and damage computer systems. It infiltrates systems through dubious downloads, emails, or websites, often undetected by the user. Once inside a system, PikaBot can pilfer personal information, disrupt operations, or even ransom d
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Proofpoint
Malware
Ransomware
Exploits
Phishing
Cybercrime
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
QbotUnspecified
5
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
QakBotUnspecified
4
Qakbot, also known as QBot, is a versatile piece of malware capable of executing several malicious activities such as brute-forcing, web injects, and loading other types of malware. It's often used to steal credentials and gather information, with the cybercriminal group Black Basta being one notabl
LatrodectusUnspecified
4
Latrodectus, a new type of malware discovered in late 2023, is being used by Initial Access Brokers (IABs) in email threat campaigns. Initially mistaken for a variant of the well-known IcedID malware due to similar characteristics, researchers at Proofpoint and Team Cymru S2 Threat Research Team hav
IcedIDUnspecified
2
IcedID is a type of malware, or malicious software, designed to exploit and harm computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, IcedID can steal personal information, disrupt operations, or even hold dat
DucktailUnspecified
1
"Ducktail" is a malicious software (malware) first observed in 2022, specifically designed to target Facebook business accounts. The malware was discovered by Zscaler, a leading cybersecurity firm, and it's suspected to originate from threat actors based in Vietnam. Ducktail not only infiltrates sys
Black BastaUnspecified
1
Black Basta is a notorious malware group known for its malicious software, specifically ransomware attacks. Since early 2022, the Black Basta Ransomware gang has been actively involved in cybercrimes, amassing at least $107 million in Bitcoin ransom payments. The group's modus operandi involves expl
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BattleroyalUnspecified
2
BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TA577 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Recorded Future
5 days ago
2023 Adversary Infrastructure Report | Recorded Future
Pulsedive
a month ago
Pulsedive Blog | Latrodectus Threat Research
InfoSecurity-magazine
3 months ago
New Malware “Latrodectus” Linked to IcedID
BankInfoSecurity
3 months ago
Sophisticated Latrodectus Malware Linked to 2017 Strain
DARKReading
3 months ago
Latrodectus Downloader Picks Up Where QBot Left Off
CERT-EU
4 months ago
New Email Scam Targets NTLM Hashes in Covert Data Theft Operation
CERT-EU
4 months ago
Cyber Security Week in Review: March 8, 2024
CERT-EU
4 months ago
Hackers steal Windows NTLM authentication hashes in phishing attacks
CERT-EU
4 months ago
TA577 Exploits NTLM Authentication Vulnerability
CERT-EU
6 months ago
Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware
Recorded Future
6 months ago
2023 Adversary Infrastructure Report | Recorded Future
CSO Online
a year ago
Researchers warn of two new variants of potent IcedID malware loader
CERT-EU
8 months ago
DarkGate Gained Popularity for its Covert Nature and Antivirus Evasion
CERT-EU
7 months ago
'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
DARKReading
7 months ago
'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick
Malwarebytes
7 months ago
PikaBot distributed via malicious search ads | Malwarebytes
Malware-traffic-analysis.net
9 months ago
Malware-Traffic-Analysis.net - 2023-10-16 - TA577 IcedID (Bokbot) infection
Malware-traffic-analysis.net
a year ago
Malware-Traffic-Analysis.net - 2023-05-24 - Bye bye Pikabot... We're back to Qak! (obama264 Qakbot infection)