Overview
TA577 is a prolific and highly active cybercrime threat actor that has been tracked by Proofpoint since mid-2020. Known for its wide-reaching campaigns across various industries and geographies, TA577 has established itself as a significant player in the world of cybercrime. This group is notorious for its use of sophisticated techniques and multiple malware families, including Qbot, IcedID, Ursnif, and SystemBC, to carry out its attacks. TA577’s operations often start with phishing emails that contain malicious Microsoft Office attachments, exploiting macro vulnerabilities to download and execute malware on compromised systems.
One of the key tactics used by TA577 is the delivery of IcedID, a well-known banking trojan, which it deploys to gain initial access to victim networks. This access is often a stepping stone for later stages of the attack, including ransomware deployment. Proofpoint has high confidence that
TA577 was behind several Sodinokibi ransomware infections, where IcedID was used as the initial malware payload. The group’s ability to successfully infiltrate organizations and deliver subsequent stages of malware underscores the ongoing threat they pose to industries worldwide.
Common targets
Information
Public Administration
United States
Attack Vectors
Phishing
How they operate
TA577 operates as a multi-stage threat actor capable of executing intricate, large-scale cyberattacks. The group primarily uses phishing emails containing malicious attachments, often Microsoft Office documents with macros, as the initial vector for compromise. Upon opening the infected attachment and enabling macros, the victim unwittingly executes the payload, which typically involves malware like IcedID, Ursnif, and Qbot. These trojans act as initial access tools, granting TA577 control over the victim’s network.
Once IcedID or other similar trojans are executed on a compromised system, TA577 leverages these malware to establish persistence and escalate its control over the network. IcedID, for example, is often used to download additional payloads, including ransomware, from the threat actor’s command-and-control (C2) infrastructure. This malware acts as a conduit for further exploitation, enabling the group to deploy additional stages of malicious activity such as data theft, lateral movement, and, most critically, ransomware deployment. IcedID also facilitates the deployment of secondary tools like Cobalt Strike, allowing the threat actor to further expand its foothold in the targeted network and carry out subsequent stages of the attack.
TA577’s use of phishing campaigns and banking trojans is not a one-off but part of a well-established attack chain that the group frequently replicates. In many observed attacks, TA577 is seen using IcedID to deliver ransomware payloads such as Sodinokibi (REvil). This operation involves the malware downloading the ransomware from a remote server and executing it on the victim’s system, encrypting critical data and demanding a ransom for decryption. The group’s ability to use banking trojans as “loaders” for ransomware highlights their ability to adapt and integrate different tools into a seamless attack strategy. Additionally, TA577 has been observed making use of custom, encrypted communication channels to control infected systems, allowing them to exfiltrate sensitive data or escalate their attack without detection.
TA577’s operations extend beyond phishing emails and malware loaders. The group is also known for its use of social engineering tactics, such as impersonating trusted entities in their phishing campaigns. These campaigns often exploit current events or target organizations’ specific business practices to maximize the likelihood of successful infections. The phishing emails are typically designed to appear legitimate, such as invoices, tax documents, or security updates, further enhancing the likelihood that the victim will fall for the bait.
A defining feature of TA577 is its continued evolution. As the group learns from past attacks and adapts to new cybersecurity defenses, it continuously refines its techniques and tools. In particular, the use of banking trojans like IcedID and the subsequent deployment of ransomware represents a significant shift in the tactics and strategies employed by cybercriminals. The group’s success lies in its ability to blend tried-and-true malware techniques with innovative attack methodologies, allowing it to evade detection and increase its chances of financially benefiting from each compromise.
In conclusion, TA577 is a versatile and dynamic threat actor whose operations on a technical level are complex and multifaceted. By leveraging a combination of phishing attacks, malware distribution, lateral movement tactics, and ransomware deployment, TA577 operates as a highly effective and dangerous cybercriminal group. Their focus on persistence and adaptability makes them a persistent threat to businesses, governments, and other organizations worldwide. Organizations must remain vigilant to these evolving tactics and invest in robust security measures to detect and respond to such sophisticated attacks.
