TA577

Threat Actor updated 3 months ago (2024-07-09T14:17:37.231Z)
Download STIX
Preview STIX
TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typically starts intrusions by hijacking existing email threads and deceiving victims into interacting with attachments or embedded links. Despite the takedown of QakBot, TA577 has continued its operations, underscoring the persistence of such criminal organizations and highlighting the need for apprehending individuals responsible for illicit activities to truly disrupt such operations. TA577, along with other actors, has been associated with both Qbot and the new malware campaign, Latrodectus. This new strain of malware was first spotted in operations linked to TA577. It's worth noting that while the intrusion attempts by both TA577 and another threat actor, TA578, begin with email delivery, the intermediary steps taken to download Latrodectus samples differ slightly. TA577 also exploited an NTLM Authentication Vulnerability, further demonstrating its evolving threat tactics. By mid-January 2024, TA577 had almost exclusively relied on Latrodectus for its operations, according to a report. However, after these campaigns, the group switched back to using Pikabot. The evolution of TA577's strategies and its resilience even after the takedown of QakBot indicates a persistent and adaptable threat actor. Therefore, it remains crucial for cybersecurity defenses to stay updated and vigilant against these evolving threats.
Description last updated: 2024-07-09T13:20:43.070Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Pikabot is a possible alias for TA577. Pikabot is a type of malware that serves as a trojan, providing initial access to infected computers. This enables the execution of ransomware deployments, remote takeovers, and data theft. It is part of a wider array of malicious software, including IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoa
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Proofpoint
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Qbot Malware is associated with TA577. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fiUnspecified
5
The QakBot Malware is associated with TA577. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includinUnspecified
4
The Latrodectus Malware is associated with TA577. Latrodectus is a malicious software (malware) first discovered in late 2023, which has been gaining momentum among threat actors. Named after a string of code found during analysis, the malware is not a variant of IcedID but shares similar characteristics. This led researchers to conclude that both Unspecified
4
The IcedID Malware is associated with TA577. IcedID is a prominent malware that has been utilized in various cyber-attacks. It functions as a malicious software designed to infiltrate and damage computer systems, often through suspicious downloads, emails, or websites. Once inside a system, IcedID can steal personal information, disrupt operatUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Battleroyal Threat Actor is associated with TA577. BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen Unspecified
2
Source Document References
Information about the TA577 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Recorded Future
3 months ago
Pulsedive
5 months ago
InfoSecurity-magazine
6 months ago
BankInfoSecurity
7 months ago
DARKReading
7 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
9 months ago
Recorded Future
9 months ago
CSO Online
2 years ago
CERT-EU
a year ago
CERT-EU
10 months ago
DARKReading
10 months ago
Malwarebytes
10 months ago
Malware-traffic-analysis.net
a year ago
Malware-traffic-analysis.net
a year ago