TA577

Threat Actor updated 4 days ago (2024-11-29T13:32:45.423Z)
Download STIX
Preview STIX
TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typically starts intrusions by hijacking existing email threads and deceiving victims into interacting with attachments or embedded links. Despite the takedown of QakBot, TA577 has continued its operations, underscoring the persistence of such criminal organizations and highlighting the need for apprehending individuals responsible for illicit activities to truly disrupt such operations. TA577, along with other actors, has been associated with both Qbot and the new malware campaign, Latrodectus. This new strain of malware was first spotted in operations linked to TA577. It's worth noting that while the intrusion attempts by both TA577 and another threat actor, TA578, begin with email delivery, the intermediary steps taken to download Latrodectus samples differ slightly. TA577 also exploited an NTLM Authentication Vulnerability, further demonstrating its evolving threat tactics. By mid-January 2024, TA577 had almost exclusively relied on Latrodectus for its operations, according to a report. However, after these campaigns, the group switched back to using Pikabot. The evolution of TA577's strategies and its resilience even after the takedown of QakBot indicates a persistent and adaptable threat actor. Therefore, it remains crucial for cybersecurity defenses to stay updated and vigilant against these evolving threats.
Description last updated: 2024-07-09T13:20:43.070Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Pikabot is a possible alias for TA577. Pikabot is a malicious software (malware) that has been used extensively by various threat groups to exploit and damage computer systems. Initially, the BlackBasta group used phishing and vishing to deliver malware types such as DarkGate and Pikabot but quickly sought alternatives for further malici
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Proofpoint
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Qbot Malware is associated with TA577. Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23 Unspecified
5
The QakBot Malware is associated with TA577. Qakbot is a type of malware, or malicious software, that infiltrates computer systems to exploit and damage them. This harmful program can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt opeUnspecified
4
The Latrodectus Malware is associated with TA577. Latrodectus, a harmful malware discovered in late 2023, has been gaining momentum among threat actors, with a significant increase in activity noted throughout February and March. This malicious software is being employed by initial access brokers (IABs) in email threat campaigns and uses MSI files Unspecified
4
The IcedID Malware is associated with TA577. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Battleroyal Threat Actor is associated with TA577. BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen Unspecified
2
Source Document References
Information about the TA577 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Recorded Future
5 months ago
Pulsedive
6 months ago
InfoSecurity-magazine
8 months ago
BankInfoSecurity
8 months ago
DARKReading
8 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
Recorded Future
a year ago
CSO Online
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
Malwarebytes
a year ago
Malware-traffic-analysis.net
a year ago
Malware-traffic-analysis.net
a year ago