ATK103

Presumed Origin: < Back

Alias: GOLD TAHOE, GRACEFUL SPIDER, Hive0065, SectorJ04, SectorJ04 Group, TA505

ATK103 (aka: TA505) is active since at least 2014. It is a significant part of the email threat landscape and is responsible for the largest malicious spam campaigns Proofpoint have ever observed, distributing instances of the Dridex banking trojan, Locky ransomware, Jaff ransomware, the Trick banking trojan, and several others in very high volumes. ATK103 use Necurs botnet to drive massive spam campaigns. ATK103 seems to be motivated by financial gains. It is hightly adaptable, often change its malwares and techniques, use off-the-shelf malwares and operate on a massive scale. It doesn't seem to be trying to stay stealthy. Since March 2018, ATK103 was observed using FlawedAmmyy RAT, a variant of the leaked AmmyyAdmin 3 (Remote Administration Tool). The use of these tools can make us think that this actor want to switch from big spam campaigns to more targeted attacks. In July 2018, ATK103 has been seen using the SettingContent-ms files in their decoy documents. This technique has been described by Matt N. and in early June 2018, MSRC responded with a note that the severity of the issue is below the bar for servicing and that the case will be closed. Some of these malwares were signed with a COMODO SECURE certificate. ATK103 seems to be a Russian speaking group.

 

ATK103 (TA505) as key player in the cybercrime ecosystem

 

As mentioned in ATK104's description, ATK103 has a more or less tenuous relationship with ATK104, as shown by the identical nature of certain functions developed in the Emotet and Trickbot download software (which is an adaptation of the original TrickBot malware created by ATK82 (Wizard Spider)).

 

However, this relationship is not limited to ATK104. We know that the ATK86 group (Silence group), which specializes in targeting large banks and their ATMs, and the ATK88 group (FIN6), which specializes in attacking points of sale and stealing credit card data, have already used the FlawdAmmyy remote administration tool developed by ATK103 (TA505).

 

 

REFERENCES

Target sector

  • Education
  • Energy
  • Financial Services
  • Healthcare
  • Manufacturing
  • Media

Target countries

  • Canada
  • Chile
  • China
  • Georgia
  • Greece
  • Netherlands
  • Mexico
  • Italy
  • Korea, Republic of
  • Lithuania
  • Singapore
  • Sweden
  • Taiwan
  • United Arab Emirates
  • United States Of America

Attack pattern

  • T1002 - Data Compressed
  • T1012 - Query Registry
  • T1020 - Automated Exfiltration
  • T1021 - Remote Services
  • T1027 - Obfuscated Files or Information
  • T1036 - Masquerading
  • T1041 - Exfiltration Over Command and Control Channel
  • T1043 - Commonly Used Port
  • T1057 - Process Discovery
  • T1064 - Scripting
  • T1071 - Standard Application Layer Protocol
  • T1076 - Remote Desktop Protocol
  • T1081 - Credentials in Files
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1085 - Rundll32
  • T1086 - PowerShell
  • T1087 - Account Discovery
  • T1090 - Connection Proxy
  • T1105 - Remote File Copy
  • T1107 - File Deletion
  • T1112 - Modify Registry
  • T1116 - Code Signing
  • T1119 - Automated Collection
  • T1123 - Audio Capture
  • T1138 - Application Shimming
  • T1140 - Deobfuscate/Decode Files or Information
  • T1173 - Dynamic Data Exchange
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1204 - User Execution
  • T1218 - Signed Binary Proxy Execution
  • T1222 - File Permissions Modification
  • T1486 - Data Encrypted for Impact

Motivation

  • Financial Gain

Malwares

  • Amadey
  • Clop Ransomware
  • FlawedAmmyy
  • FlawedGrace
  • Get2
  • GlobeImposter
  • MINEBRIDGE
  • SDBbot
  • ServHelper
  • SnatchLoader
  • TinyMet

Vulnerabilities