Botconf Author Listing

TA577, also known as Tramp or TR is a prolific cybercrime actor that has specialized in distributing initial access malware to conduct ransomware attacks. Our talk at Botconf will be structured as follows.

First, we give an overview about the past and present activities of TA577, in particular the different malware payloads that TA577 has distributed and their connection to ransomware and big game hunting, specifically through the Black Basta ransomware operation.

Secondly, we will focus on the capabilities and infrastructure that TA577 has obtained to distribute different malware payloads at scale. We will share our findings about how the threat actor obtains compromised infrastructure, what scripts they use to distribute malware via the compromised systems, and what functionality they have implemented to hinder researchers from analyzing their tools and payloads. Finally, we will provide some recommendations about how defenders can detect, identify and mitigate infrastructure and payloads of TA577.

Our work focuses not on the malware itself, but on the infrastructure and methodology used to orchestrate the malware distribution and operation. We show through correlation of both TTPs and infrastructure that there exist strong ties between current activities involving Latrodectus malware and past campaigns spreading malwares such as Bumblebee and IcedID, which were recently subject to a coordinated law enforcement operation named “Operation Endgame”. Our work suggests that key actors involved in dropper malware distribution such as TA577 remain largely unaffected by these operations and continue to spread similar malware with only minor infrastructure and TTP changes.