TA577 (Cybercriminals) – Threat Actor

Overview

Common targets

Information

Public Administration

United States

Attack Vectors

Phishing

How they operate

TA577 operates as a multi-stage threat actor capable of executing intricate, large-scale cyberattacks. The group primarily uses phishing emails containing malicious attachments, often Microsoft Office documents with macros, as the initial vector for compromise. Upon opening the infected attachment and enabling macros, the victim unwittingly executes the payload, which typically involves malware like IcedID, Ursnif, and Qbot. These trojans act as initial access tools, granting TA577 control over the victim’s network.

Once IcedID or other similar trojans are executed on a compromised system, TA577 leverages these malware to establish persistence and escalate its control over the network. IcedID, for example, is often used to download additional payloads, including ransomware, from the threat actor’s command-and-control (C2) infrastructure. This malware acts as a conduit for further exploitation, enabling the group to deploy additional stages of malicious activity such as data theft, lateral movement, and, most critically, ransomware deployment. IcedID also facilitates the deployment of secondary tools like Cobalt Strike, allowing the threat actor to further expand its foothold in the targeted network and carry out subsequent stages of the attack.

TA577’s use of phishing campaigns and banking trojans is not a one-off but part of a well-established attack chain that the group frequently replicates. In many observed attacks, TA577 is seen using IcedID to deliver ransomware payloads such as Sodinokibi (REvil). This operation involves the malware downloading the ransomware from a remote server and executing it on the victim’s system, encrypting critical data and demanding a ransom for decryption. The group’s ability to use banking trojans as “loaders” for ransomware highlights their ability to adapt and integrate different tools into a seamless attack strategy. Additionally, TA577 has been observed making use of custom, encrypted communication channels to control infected systems, allowing them to exfiltrate sensitive data or escalate their attack without detection.

TA577’s operations extend beyond phishing emails and malware loaders. The group is also known for its use of social engineering tactics, such as impersonating trusted entities in their phishing campaigns. These campaigns often exploit current events or target organizations’ specific business practices to maximize the likelihood of successful infections. The phishing emails are typically designed to appear legitimate, such as invoices, tax documents, or security updates, further enhancing the likelihood that the victim will fall for the bait.

A defining feature of TA577 is its continued evolution. As the group learns from past attacks and adapts to new cybersecurity defenses, it continuously refines its techniques and tools. In particular, the use of banking trojans like IcedID and the subsequent deployment of ransomware represents a significant shift in the tactics and strategies employed by cybercriminals. The group’s success lies in its ability to blend tried-and-true malware techniques with innovative attack methodologies, allowing it to evade detection and increase its chances of financially benefiting from each compromise.

In conclusion, TA577 is a versatile and dynamic threat actor whose operations on a technical level are complex and multifaceted. By leveraging a combination of phishing attacks, malware distribution, lateral movement tactics, and ransomware deployment, TA577 operates as a highly effective and dangerous cybercriminal group. Their focus on persistence and adaptability makes them a persistent threat to businesses, governments, and other organizations worldwide. Organizations must remain vigilant to these evolving tactics and invest in robust security measures to detect and respond to such sophisticated attacks.

• The First Step: Initial Access Leads to Ransomware