TA505, Graceful Spider, Gold Evergreen

Proofpoint researchers track a wide range of threat actors involved in both financially motivated cybercrime and state-sponsored actions. One of the more prolific actors that we track – referred to as TA505 – is responsible for the largest malicious spam campaigns we have ever observed, distributing instances of the Dridex banking Trojan, Locky ransomware, Jaff ransomware, The Trick banking Trojan, and several others in very high volumes. Because TA505 is such a significant part of the email threat landscape, this blog provides a retrospective on the shifting malware, payloads, and campaigns associated with this actor. We examine their use malware such as Jaff, Bart, and Rockloader that appear to be exclusive to this group as well as more widely distributed malware like Dridex and Pony. Where possible, we detail the affiliate models with which they are involved and outline the current state of TA505 campaigns. TA505 is arguably one of the most significant financially motivated threat actors because of the extraordinary volumes of messages they send. The variety of malware delivered by the group also demonstrates their deep connections to the underground malware scene. At the time of writing, Locky ransomware remains their malware of choice, even as the group continues to experiment with a variety of additional malware. Much of the malware from TA505 has been observed to be distributed using Avalanche , Cutwail (operated by Narwhal Spider ), Necurs (operated by Monty Spider ) and Emotet (operated by Mummy Spider, TA542 ). TA505 also has some infrastructure overlap with Buhtrap, Ratopak Spider and Group-IB found several relationships with Silence, Contract Crew . The Dridex development appears to have been done by a subgroup named Indrik Spider and, by extension, Doppel Spider . See also: Dungeon Spider and FIN11 .