{ "id": "2154a7eb-9bb6-4256-829f-a9b188575050", "created_at": "2026-04-06T00:13:38.825856Z", "updated_at": "2026-04-10T03:36:36.969549Z", "deleted_at": null, "sha1_hash": "ae069e26bbef3c4938048ae9d654f13404cf6d2c", "title": "Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 505309, "plain_text": "Operation TA505: how we analyzed new tools from the creators of\r\nthe Dridex trojan, Locky ransomware, and Neutrino botnet\r\nBy Positive Technologies\r\nPublished: 2024-08-19 ยท Archived: 2026-04-05 13:17:09 UTC\r\nDistribution of TA505 attacks in 2019\r\nThe Threat Intelligence team at the Positive Technologies Expert Security Center has been keeping a close eye on\r\nthe TA505 cybercrime group for the last six months. The malefactors are drawn towards finance, with targets\r\nscattered in dozens of countries on multiple continents.\r\nWhat is TA505 famous for?\r\nThe cybergang has been quite prolific since 2014: their arsenal includes the Dridex banking trojan, Neutrino\r\nbotnet, as well as Locky, Jaff, GlobeImposter, and other ransomware.\r\nThe group's attacks have been detected all around the world, from North America to Central Asia.\r\nDespite being mainly motivated by profit, in the past six months they have also attacked research institutes,\r\nenergy companies, healthcare institutions, airlines, and even government agencies.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/\r\nPage 1 of 8\n\nTA505 attacks by sector, 2019\r\nBelow is an example of a phishing message containing malware developed by the group. Judging by the email\r\naddress, the attack targeted the British Foreign Office.\r\nThe group has been using the FlawedAmmyy remote access tool since spring 2018 and the new ServHelper\r\nbackdoor since the end of 2018. TA505 is among the few groups that can boast of continuous activity over a long\r\ntimeframe. Moreover, each new wave of attacks shows interesting changes in the group's tools.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/\r\nPage 2 of 8\n\nTA505 detections by month, 2019\r\nSuch a high clip of attacks cannot stay invisible: our colleagues at companies including Proofpoint, Trend Micro,\r\nand Yoroi have already reported on the techniques and malicious software used by TA505. However, many\r\nintriguing issues still remain unaddressed:\r\nThe PE packer unique to the group\r\nA version of the ServHelper backdoor that, instead of custom-developed functionality, relies on\r\nNetsupportManager remote control software\r\nNetwork infrastructure: registrars and hosting providers, including overlap with infrastructure of the\r\nBuhtrap group\r\nOther malware used by the group not covered previously\r\nThis is the first article of a series about the TA505 group.\r\nPart 1. In the beginning was the packer\r\nIn mid-June 2019, we saw new variants of FlawedAmmy malware loaders with significant changes from previous\r\nversions. For example, the visual representation of code in hexadecimal was different. This pattern became a\r\ncommon theme in several samples that we analyzed.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/\r\nPage 3 of 8\n\nASCII code representation\r\nQuick analysis showed that we were looking at an unknown packer of executable files. Later we found that this\r\npacker was used not only for the loaders in question, but for other TA505 malware, including payload. We decided\r\nto explore the unpacking logic in order to be able to automatically extract the contents.\r\nLayer 1. Tricky XOR\r\nThe key portion of the unpacker is preceded by a large number of junk instructions. Malware developers often use\r\nthis technique to evade antivirus emulators. The interesting part starts when 0xD20 of buffer memory is allocated\r\nusing the WinAPI function VirtualAllocEx. Memory is allocated with PAGE_EXECUTE_READWRITE rights,\r\nwhich allow writing and executing code.\r\nStart of the non-junk part of the unpacker\r\nThe data section of the file contains an array. The contents of the array are decoded and the result is written to the\r\nallocated memory. Here is the decoding process:\r\nInterpret 4 bytes as integer.\r\nSubtract the order number of the byte in the sequence.\r\nPerform XOR with a set constant.\r\nPerform a circular shift to the left by 7 positions.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/\r\nPage 4 of 8\n\nPerform XOR with set constant again.\r\nFirst-layer decoding\r\nWe'll call the algorithm SUB-XOR-ROL7-XOR when referring to it later.\r\nDecoding is followed by sequential initialization of variables. This can be represented as declaring a C struct in\r\nthe following format:\r\n \r\n struct ZOZ {\r\n HMODULE hkernel32;\r\n void *aEncodedBlob;\r\n unsigned int nEncodedBlobSize;\r\n unsigned int nBlobMagic;\r\n unsigned int nBlobSize;\r\n };\r\nin which:\r\nhkernel32 describes the library kernel32.dll.\r\naEncodedBlob is a pointer to the encoded block of data we were talking about when noting the visual\r\nsimilarity of the samples.\r\nEncoded data block\r\nnEncodedBlobSize is the 4-byte size of the encoded data block.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/\r\nPage 5 of 8\n\nnBlobMagic is a 4-byte constant ahead of the data block, to which we will return later on.\r\nnBlobSize is the 4-byte size of the decoded data block.\r\nWe called the struct ZOZ (or \"505\" in l33t speak).\r\nPopulating ZOZ\r\nCode execution jumps to the decoded buffer (removing any doubt that the now-decoded data consists of\r\nexecutable code) and a pointer to the populated struct is passed in a function argument:\r\nCalling the decoded code, with the ZOZ struct passed as an argument\r\nDecoded and disassembled code portion\r\nLayer 2. Less is more\r\nOnce the portion of code is decoded and run, it starts gathering addresses of the WinAPI functions\r\nGetProcAddress, VirtualQuery, VirtualAlloc, VirtualProtect, VirtualFree, and LoadLibraryA. These functions are\r\noften used with shellcodes, in order to groom memory to run the payload.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/\r\nPage 6 of 8\n\nWhen everything is ready, the encoded data block is passed and then \"slimmed down.\" The first two of each five\r\nbytes are discarded and the remaining three are kept:\r\nReduction of the encoded data block\r\nThen starts the decoding, which we have called SUB-XOR-ROL7-XOR. To perform XOR, the nBlobMagic\r\nvalue passed in ZOZ is used as a constant.\r\nReuse of the SUB-XOR-ROL7-XOR algorithm\r\nAfter that, the resulting array is passed to a function in which more complicated transformations take place.\r\nJudging by the characteristic constant values, we can easily identify a popular FSG (Fast Small Good) PE packer.\r\nCuriously enough, the original FSG packer version compresses PE by sections, whereas in our case the algorithm\r\nworks with the PE as-is.\r\nFSG packer implementation\r\nAt this stage, the memory contains the unpacked PE file ready for further analysis. The remaining part of the\r\nshellcode will overwrite the original PE in the address space with the unpacked version and will then run it\r\ncorrectly. Interestingly, during modification of the module entry point, there are manipulations involving PEB\r\nstructures. We do not know why the attackers decided to forward the kernel32 descriptor from the first-layer logic\r\ninstead of getting it with the help of the same PEB structures.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/\r\nPage 7 of 8\n\nEntry point for the loaded module is overwritten in PEB\r\nConclusion\r\nThe payload is unpacked as follows:\r\nDecode shellcode with SUB-XOR-ROL7-XOR.\r\nPopulate the ZOZ struct and call the shellcode.\r\nSlim payload (five to three).\r\nDecode payload with SUB-XOR-ROL7-XOR.\r\nDecompress with FSG packer.\r\nAs the malware evolved, so did its logic: the SUB-XOR-ROL7-XOR circular shift (in our case, by seven\r\npositions) has been changed to five and nine positions and an x64 packer version was released, among other\r\nchanges. The cybergang's \"calling card\" packer is an excellent start to a series of upcoming tales about TA505\r\ntools and techniques.\r\nIn future articles, we will discuss how the group's tools have changed during recent attacks and how its\r\nparticipants have interacted with other cybergroups. We will also explore malware samples not covered before.\r\nAuthors: Alexey Vishnyakov and Stanislav Rakovsky, Positive Technologies\r\nIOCs\r\nb635c11efdf4dc2119fa002f73a9df7b (packed FlawedAmmyy loader)\r\n71b183a44f755ca170fc2e29b05b64d5 (unpacked FlawedAmmyy loader)\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/" ], "report_names": [ "operation-ta505" ], "threat_actors": [ { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434418, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae069e26bbef3c4938048ae9d654f13404cf6d2c.pdf", "text": "https://archive.orkl.eu/ae069e26bbef3c4938048ae9d654f13404cf6d2c.txt", "img": "https://archive.orkl.eu/ae069e26bbef3c4938048ae9d654f13404cf6d2c.jpg" } }