Bringing cybersecurity globally to critical and complex key activities
Alias: GOLD TAHOE, GRACEFUL SPIDER, Hive0065, SectorJ04, SectorJ04 Group, TA505
ATK103 (aka: TA505) is active since at least 2014. It is a significant part of the email threat landscape and is responsible for the largest malicious spam campaigns Proofpoint have ever observed, distributing instances of the Dridex banking trojan, Locky ransomware, Jaff ransomware, the Trick banking trojan, and several others in very high volumes. ATK103 use Necurs botnet to drive massive spam campaigns. ATK103 seems to be motivated by financial gains. It is hightly adaptable, often change its malwares and techniques, use off-the-shelf malwares and operate on a massive scale. It doesn't seem to be trying to stay stealthy. Since March 2018, ATK103 was observed using FlawedAmmyy RAT, a variant of the leaked AmmyyAdmin 3 (Remote Administration Tool). The use of these tools can make us think that this actor want to switch from big spam campaigns to more targeted attacks. In July 2018, ATK103 has been seen using the SettingContent-ms files in their decoy documents. This technique has been described by Matt N. and in early June 2018, MSRC responded with a note that the severity of the issue is below the bar for servicing and that the case will be closed. Some of these malwares were signed with a COMODO SECURE certificate. ATK103 seems to be a Russian speaking group.
ATK103 (TA505) as key player in the cybercrime ecosystem
As mentioned in ATK104's description, ATK103 has a more or less tenuous relationship with ATK104, as shown by the identical nature of certain functions developed in the Emotet and Trickbot download software (which is an adaptation of the original TrickBot malware created by ATK82 (Wizard Spider)).
However, this relationship is not limited to ATK104. We know that the ATK86 group (Silence group), which specializes in targeting large banks and their ATMs, and the ATK88 group (FIN6), which specializes in attacking points of sale and stealing credit card data, have already used the FlawdAmmyy remote administration tool developed by ATK103 (TA505).
REFERENCES