TA505: attacking industries around the world

Wednesday 30 September 16:30 - 17:00, Green room

Minhee Lee (Financial Security Institute)
Daegyu Kang (Financial Security Institute)

Last December, Maastricht University of the Netherlands was infected with the Clop ransomware distributed by TA505 and paid the attackers around €250,000. In November, the attacks of TA505 caused great damage in many companies and institutions in Europe, the United States and Asia, including the University Hospital Center of Rouen in France.

TA505 is an organized crime group that has been active since 2014. It is a threat group that has attacked foreign financial and energy sectors using various malware such as Dridex, Locky ransomware, and TrickBot.

TA505 has the characteristic of executing attacks with a cyber attack life cycle. It sends a large number of spear-phishing emails that are skillfully disguised as bills, resumes, airline tickets, etc. to employees of the target organization to induce infection. Infections on a single corporate PC can lead to multiple PC infections on the corporate network, resulting in the leakage of important corporate information and can result in the large-scale damage of encryption of important business-related files.

Based on the timeline and the information collected for about one year from February 2019, when the attacks of the TA505 began to occur on a large scale, the cyber attacks of the TA505 were intensively analysed and the method of attack was classified. We also discovered where we could infer a relationship between the TA505, which carried out these cyber attacks, and the FIN7 threat group, which carried out US financial information stealing attacks from 2015.

Among the threat groups that target South Korea, the Kimsuky group is primarily aimed at social chaos, surveillance of North Korean defectors and politicians. The Scarcruft group aims to steal and destroy data from famous institutions and political organizations in South Korea. Unlike these two groups, TA505 is a threat group that conducts attacks on companies in order to seize corporate information and gain financial benefits. In addition, unlike ordinary ransomware, which is distributed to a large number of unspecified individuals, TA505 distributes ransomware to companies which are more likely to pay for recovery when their files are encrypted.

First, we will understand the attack TTPs of the TA505 group and analyse the process of changes in the malware and the main code of malware that have been distributed.

Second, the statistics of approximately 610,000 spear-phishing emails will be analysed.

Third, while tracking the IPs used by TA505 as malware distribution and C&C servers, we discovered that these IPs were also used as phishing pages disguised as legitimate sites such as NAVER (a famous portal site in South Korea), Google, Microsoft, Apple, etc.

Fourth, analysis revealed that the TA505 and FIN7 threat groups were very similar in their C&C server IP and the life cycle of the cyber attack, including the malware used at each stage. The results of analysing the relationship between these two groups are described. The attack techniques used by FIN7 and TA505 were classified, and the common techniques used for each type of attack were categorized.

Finally, an analysis of recent trends will be described.

This session will help us respond quickly to attacks from TA505 using the TTPs, IoCs and hunting rules derived from the analysis in this presentation. Also, based on its association with FIN7, future TA505 attacks may be similar to those of FIN7, which may help proactively respond to TA505 attacks.



Minhee Lee

Minhee Lee works in threat analysis in the Computer Emergency Analysis Team of the FSI (Financial Security Institute in South Korea). Mainly she analyses ransomware and info-stealer malware distributed to financial sectors. She's also in charge of verifying vulnerabilities received through a bug bounty operated by FSI. Before joining the FSI, she worked in the AhnLab malware analysis team. She's interested in malware analysis, especially deeply analysis of the algorithms used by malware, and in tracking down threat groups. She's the main author of the threat intelligence report "Follow the trail of TA505", published by FSI in 2020.



Dae-Gyu Kang

Dae-Gyu Kang works in the Security Operation Center, FSI (Financial Security Institute in South Korea). Dae-Gyu Kang mainly carries out malicious code analysis and research, and completed the K-Shield education hosted by the Korea Internet & Security Agency (KISA). In addition to research on "Adversarial Machine Learning", he recently assisted in analysing and backtracking the TA505 group. Currently, he is conducting security threat research in the DarkWeb while performing network security work in the financial sector.

Back to VB2020 Programme page

Other VB2020 papers

Take care, spyware is slipping into your phones through Operation Poisoned News

Nelson William Gamazo Sanchez (Trend Micro)
Lilang Wu (Trend Micro)
Elliot Cao (Trend Micro)
Ecular Xu (Trend Micro)

Growth and commoditization of remote access trojans

Veronica Valeros (Czech Technical University in Prague)
Sebastian García (Czech Technical University in Prague)

Hunting for Android 1-days: analysis of rooting ecosystem

Eugene Rodionov (Google)
Richard Neal (Google)
Lin Chen (Google)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.