TA505 – cybercrime trailblazers with ever-evolving TTPs – have returned to mass-volume email attacks, flashing retooled malware and exotic scripting languages.
The TA505 cybercrime group is whirring its financial rip-off machinery back up, pelting malware at a range of industries in what was initially low-volume waves that researchers saw spiral up late last month.
They do bad things, but they’re so tricky that tracking them is a ton of fun, said Sherrod DeGrippo, vice president, Threat Research and Detection at Proofpoint.
“Tracking TA505 is one of life’s guilty little pleasures,” she admitted. “They are a trailblazer in the world of cybercrime, regularly changing up their [tactics, techniques and procedures, or TTPs].”
TA505, aka Hive0065, is a gang of cybercrooks involved in both financial swindles and state-sponsored actions. Proofpoint researchers describe the group as being “one of the more prolific actors” that they track.
It’s behind the biggest spam campaigns the firm has ever seen: namely, distribution of the Dridex banking trojan. Proofpoint has also tracked the gang distributing Locky and Jaff ransomwares, the Trick banking trojan, and others “in very high volumes,” Proofpoint says.
TA505, which actively targets a slew of industries – including finance,