Malware distribution at scale – The ecosystem of TA577
TA577, also known as Tramp or TR is a prolific cybercrime actor that has specialized in distributing initial access malware to conduct ransomware attacks. Our talk at Botconf will be structured as follows.
First, we give an overview about the past and present activities of TA577, in particular the different malware payloads that TA577 has distributed and their connection to ransomware and big game hunting, specifically through the Black Basta ransomware operation.
Secondly, we will focus on the capabilities and infrastructure that TA577 has obtained to distribute different malware payloads at scale. We will share our findings about how the threat actor obtains compromised infrastructure, what scripts they use to distribute malware via the compromised systems, and what functionality they have implemented to hinder researchers from analyzing their tools and payloads. Finally, we will provide some recommendations about how defenders can detect, identify and mitigate infrastructure and payloads of TA577.