TA505 is a prolific Russian threat actor known for attacks against multiple industries with a variety of malware since 2014. In July 2019, Wapack Labs analyzed the intrusion infrastructure associated with TA505’s attacks. The network is comprised of multiple IPs and domains, many of which were spoofed to appear like domains belonging financial institutions. Also hosted were two domains for Royal Dumps, a known carder site. More recently there has been reported upticks in TA505 attacks with targets including entities in Japan, Argentina, the Phillippines and South Korea.
TIR-19-200-001.pdfIt’s currently unclear if the infrastructure is exclusive to TA505 or if it’s administered by an unknown bullet proof hosting provider. This report provides details on this infrastructure and associated malware and activity.