Threat Watch

TA505 Seen To be Shifting Focus

Researchers at Positive Technologies have been tracking the Russian Speaking threat group tracked as TA505 and throughout their research, have been able to identify that a shift has been seen in their techniques. Once known specifically as being a finically-motivated group, it appears that they have been adding malware to their arsenal that would suggest they are starting to target intellectual property. Previously the group was known to use the Dridex banking trojan, Neutrino Botnet and Locky, Jaff, and GlobeImposter ransomware. Most recently, the group used the FlawedAmmyy and the newer ServHelper backdoor. The group has targeted dozens of different entities in over 64 countries around the world. It has been identified that the group is using the same network as Buhtrap, which could point to the two groups working together, but that cannot be confirmed.


TA505 has increased its attack drastically in the past six months and it is possible that within the next six months, the groups will keep up with their aggressive techniques. TA505 has also been tentatively linked to recent use of other ransomware variants. Binary Defense analysts are closely monitoring TA505 tactics and malware to constantly develop new detections and allow our Security Operations Center (SOC) analysts to stop these attacks quickly.