Skip to main content

[CERT-FR] Infrastructure d'attaque du groupe cybercriminel TA505

Medium
Published: Mon Feb 08 2021 (02/08/2021, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: fr-classif
Product: non-classifiees

Description

Résultats de l'investigation sur l'infrastructure d'attaque de TA505

AI-Powered Analysis

AILast updated: 06/19/2025, 14:20:39 UTC

Technical Analysis

The provided information pertains to an investigation into the attack infrastructure used by the cybercriminal group TA505, as reported by CERT-FR and sourced from CIRCL. TA505 is a well-known financially motivated threat actor group recognized for deploying large-scale spam campaigns and distributing various malware families, including banking trojans, ransomware, and remote access trojans. The report focuses on the infrastructure supporting TA505's operations rather than a specific vulnerability or exploit. The investigation likely includes analysis of command and control (C2) servers, malware distribution points, and associated network activity used by TA505 to conduct their campaigns. Although no specific affected products or versions are identified, the threat actor's infrastructure is critical in enabling their attacks, which typically target financial institutions, retail, and other sectors globally. The report is classified as medium severity, with a threat level and analysis rating of 2 (on an unspecified scale), and no known exploits or patches are associated since this is an infrastructure-focused intelligence report rather than a vulnerability disclosure. The confidence in the data is moderate, with a 50% certainty indicated. The report is based on open-source intelligence (OSINT) with good reliability and is shared under a white traffic light protocol (TLP), meaning it is intended for broad distribution. The mention of FIN11 alongside TA505 suggests possible overlaps or related activity between these financially motivated groups. Overall, this intelligence highlights the ongoing monitoring and disruption efforts against TA505's infrastructure to mitigate their cybercrime campaigns.

Potential Impact

For European organizations, the presence and activity of TA505's attack infrastructure pose a significant risk primarily through phishing campaigns, malware infections, and potential ransomware attacks. TA505's operations can lead to financial losses, data breaches, operational disruptions, and reputational damage. Given TA505's history of targeting financial services, retail, and other critical sectors, European entities in these industries are particularly at risk. The infrastructure enables widespread malware distribution, increasing the likelihood of successful compromises if defenses are not robust. Additionally, the persistent nature of TA505's campaigns means that organizations may face repeated targeting attempts. The medium severity rating reflects that while no direct vulnerability is exploited here, the threat actor's infrastructure facilitates attacks that can have high impact if successful. Disruptions to availability, confidentiality breaches of sensitive data, and integrity compromises through malware infections are all potential consequences. The lack of patches or direct exploits means mitigation focuses on detection and prevention of intrusion attempts rather than vulnerability remediation.

Mitigation Recommendations

Mitigation should focus on proactive detection and disruption of TA505-related infrastructure and attack vectors. Specific recommendations include: 1) Implement advanced email filtering and anti-phishing technologies to block TA505's spam campaigns, including sandboxing and URL reputation analysis. 2) Deploy network monitoring tools capable of detecting known TA505 C2 server communications and anomalous traffic patterns, leveraging threat intelligence feeds that include TA505 infrastructure indicators. 3) Conduct regular threat hunting exercises focusing on TA505 tactics, techniques, and procedures (TTPs), including monitoring for malware families historically associated with TA505. 4) Enforce strict endpoint protection with behavioral analysis to detect and block malware execution linked to TA505 campaigns. 5) Maintain up-to-date user awareness training emphasizing phishing recognition and reporting, tailored to the latest TA505 phishing lures. 6) Collaborate with national and European cybersecurity centers to share intelligence and participate in takedown efforts against TA505 infrastructure. 7) Apply network segmentation and least privilege principles to limit lateral movement if initial compromise occurs. 8) Regularly update and test incident response plans to ensure readiness against TA505-related incidents. These measures go beyond generic advice by focusing on intelligence-driven detection and response aligned with TA505's known operational patterns.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
2
Analysis
2
Uuid
6021536f-a808-4b9c-8136-d7460aba047c
Original Timestamp
1613041212

Indicators of Compromise

Comment

ValueDescriptionCopy
commentRésultats de l'investigation sur l'infrastructure d'attaque de TA505

Ip

ValueDescriptionCopy
ip135.181.97.81
SDBbot C2 server [2020-11-29:]
ip158.255.208.148
SDBbot C2 server
ip158.255.208.168
SDBbot C2 server
ip176.121.14.112
Metasploit C2 server potentially linked to TA505 activity [2019-07-31:2019-07-31]
ip176.121.14.132
CobaltStrike C2 server potentially linked to TA505 activity [2019-07-17:2019-08-06]
ip176.121.14.140
CobaltStrike C2 server potentially linked to TA505 activity [2020-09-20:2021-02-04]
ip176.121.14.173
Metasploit C2 server potentially linked to TA505 activity [2019-09-23:2019-10-01]
ip176.121.14.175
Metasploit C2 server linked to TA505 activity [2020-03-06:2020-12-20]
ip176.121.14.183
Metasploit C2 server potentially linked to TA505 activity [2020-03-11:2020-11-13], CobaltStrike C2 server potentially linked to TA505 activity [2020-03-13:2020-11-08]
ip176.121.14.197
CobaltStrike C2 server potentially linked to TA505 activity [2020-11-23:2020-11-26]
ip176.121.14.199
Metasploit C2 server potentially linked to TA505 activity [2020-03-09:2020-05-16]
ip176.121.14.208
Metasploit C2 server potentially linked to TA505 activity [2020-04-12:2020-09-05]
ip176.121.14.226
Metasploit C2 server potentially linked to TA505 activity [2020-03-10:2020-12-22], CobaltStrike C2 server potentially linked to TA505 activity [2020-10-07:2020-10-07]
ip176.121.14.228
CobaltStrike C2 server potentially linked to TA505 activity [2020-05-08:2020-05-08]
ip176.121.14.229
CobaltStrike C2 server potentially linked to TA505 activity [2020-08-22:2021-01-31]
ip176.121.14.231
CobaltStrike C2 server potentially linked to TA505 activity [2020-07-28:2020-08-06]
ip176.121.14.232
Metasploit C2 server potentially linked to TA505 activity [2020-10-09:2021-01-15]
ip176.121.14.234
Metasploit C2 server potentially linked to TA505 activity [2020-11-05:2020-11-27]
ip176.121.14.235
Metasploit C2 server potentially linked to TA505 activity [2021-01-06:2021-01-14]
ip176.121.14.237
CobaltStrike C2 server potentially linked to TA505 activity [2020-08-19:2020-09-10], Metasploit C2 server potentially linked to TA505 activity [2020-03-21:2020-03-21]
ip176.121.14.238
Metasploit C2 server linked to TA505 activity [2020-06-03:2020-12-16]
ip176.121.14.241
Metasploit C2 server potentially linked to TA505 activity [2020-03-21:2020-12-18]
ip176.121.14.249
CobaltStrike C2 server potentially linked to TA505 activity [2020-10-06:2021-01-09]
ip176.121.14.251
CobaltStrike C2 server potentially linked to TA505 activity [2020-10-25:2021-01-30]
ip185.17.121.188
SDBbot C2 server
ip91.214.124.13
Metasploit C2 server potentially linked to TA505 activity [2019-10-07:2020-02-01]
ip91.214.124.18
Metasploit C2 server potentially linked to TA505 activity [2019-08-14:2019-10-15]
ip91.214.124.20
Metasploit C2 server linked to TA505 activity [2019-09-11:2020-02-07]
ip91.214.124.22
Metasploit C2 server potentially linked to TA505 activity [2019-10-04:2019-10-24]
ip91.214.124.25
Metasploit C2 server linked to TA505 activity [2019-12-19:2020-02-05]
ip91.214.124.29
Metasploit C2 server potentially linked to TA505 activity [2019-08-10:2019-11-03]
ip91.214.124.5
Metasploit C2 server linked to TA505 activity [2019-07-31:2020-02-03]
ip91.214.124.53
Metasploit C2 server potentially linked to TA505 activity [2019-09-03:2019-10-30]
ip91.214.124.54
Metasploit C2 server potentially linked to TA505 activity [2019-08-04:2020-01-10]
ip91.214.124.57
Metasploit C2 server potentially linked to TA505 activity [2020-01-29:2020-02-25]
ip91.214.124.64
Metasploit C2 server linked to TA505 activity [2019-11-13:2020-01-15], CobaltStrike C2 server potentially linked to TA505 activity [2019-12-21:2020-01-23]
ip92.38.135.217
SDBbot C2 server

Domain

ValueDescriptionCopy
domainalpha-telemetry-microsoft.com
Get2 C2 server
domainatt-download.com
Phishing server
domainauxin-box.com
SDBbot C2 server
domainbackup-place.com
Get2 C2 server
domainbak-home.com
Get2 C2 server
domainbak0-store.com
Get2 C2 server
domainband-switch.com
Get2 C2 server
domainbox-cdn.com
Phishing server
domainbox-cnd.com
Phishing server
domainbox-en-au.com
Phishing server
domainbox-en.com
Phishing server
domainboxfiles-en.com
Phishing server
domainboxrcdn.com
Phishing server
domaincdn-box.com
Phishing server
domaincdn-downloads.com
Phishing server
domaincdn-onedrive-live.com
Phishing server
domainclients-share.com
Phishing server
domainclietns-download.com
Get2 C2 server
domaincloud-store-cdn.com
Phishing server
domainclouds-cdn.com
Phishing server
domainclouds-doanload-cnd.com
Phishing server
domainclouds-share.com
Phishing server
domaincorp-downloads.com
Get2 C2 server
domaincorp-storage.com
Get2 C2 server
domaindata-downloads.com
Phishing server
domaindaumcdnf.com
Phishing server
domaindaumcdnr.com
Phishing server
domaindaumcdns.com
Phishing server
domaindef-update.com
Get2 C2 server
domaindefinite-limits.com
Get2 C2 server
domaindigitals-space.com
Phishing server
domaindirect-share.com
Phishing server
domaindirect-space.com
Phishing server
domaindirect-upt.com
Get2 C2 server
domaindl-icloud.com
Phishing server
domaindl-sharefile.com
Phishing server
domaindl-sync.com
Phishing server
domaindocs-downloading.com
Phishing server
domaindownload-cdn.com
Phishing server
domaindownload-shares.com
Phishing server
domaindownloads-links.com
Phishing server
domaindrm-google-analtyic.com
SDBbot C2 server
domaindrm-server-booking.com
SDBbot C2 server
domaindrm-server13-login-microsoftonline.com
SDBbot C2 server
domaindropbox-cdnn.com
Phishing server
domaindropbox-cdns.com
Phishing server
domaindropbox-cdnt.com
Phishing server
domaindropbox-cnd.com
Phishing server
domaindropbox-download-eu.com
Phishing server
domaindropbox-download.com
Phishing server
domaindropbox-en.com
Phishing server
domaindropbox-er.com
Phishing server
domaindropbox-eu.com
Phishing server
domaindropbox-sdn.com
Phishing server
domaindropboxccdn.com
Phishing server
domaindropboxrcdn.com
Phishing server
domaindropboxscdn.com
Phishing server
domaindropboxwcdn.com
Phishing server
domaindyn-downloads.com
Phishing server
domaindysoool.com
Get2 C2 server
domainegnytefs.com
Phishing server
domaineu-download.com
Phishing server
domaineu-global-online.com
SDBbot C2 server
domaineu-global.com
SDBbot C2 server
domainex-downloads.com
Phishing server
domainex-stores.com
Get2 C2 server
domainfacebook-drm-server3.com
SDBbot C2 server
domainfast-bits.com
Phishing server
domainfast-gl-backups.com
Get2 C2 server
domainfasts-downloads.com
Phishing server
domainfile-shares.com
Phishing server
domainfiles-downloads.com
Phishing server
domainfileshare-cdns.com
Phishing server
domainfileshare-cnd.com
Phishing server
domainfileshare-storage.com
Phishing server
domainfilesharess.com
Phishing server
domainfilessz.com
Get2 C2 server
domainfirst-destin.com
Get2 C2 server
domainfosdommtoi.com
Get2 C2 server
domaingeneral-lcfd.com
Get2 C2 server
domaingeo-st-microsoft.com
Get2 C2 server
domainget-downloads.com
Get2 C2 server
domainget-hlinks.com
Get2 C2 server
domaingetlink-service.com
Get2 C2 server
domainglobal-downloads.com
Phishing server
domainglobal-logic-stl.com
Get2 C2 server
domainglr-ltd.com
Get2 C2 server
domaingoing-tr.com
Get2 C2 server
domaingoogle-eu-cdn.com
Phishing server
domaingoogle-us-cdn.com
Phishing server
domaingoogledrive-download.com
Phishing server
domaingoogledrive-en.com
Phishing server
domaingoogledrive-eu.com
Phishing server
domaingoogledrive-gb.com
Phishing server
domaingroms-dat.com
Get2 C2 server
domainhome-storages.com
Get2 C2 server
domaini-sharecloud.com
Phishing server
domainint-download.com
Phishing server
domaininteger-ms-home.com
Get2 C2 server
domaininto-box.com
Get2 C2 server
domainjp-microsoft-store.com
SDBbot C2 server
domainlimo-ones.com
Get2 C2 server
domainlive-en.com
Get2 C2 server
domainlive-msr.com
Phishing server
domainlocal-download.com
Phishing server
domainlong-space.com
Phishing server
domainmain-boost.com
Get2 C2 server
domainmainten-ferrum.com
Get2 C2 server
domainmays-ltd.com
Get2 C2 server
domainmd-downloads.com
Phishing server
domainmgrs-service.com
Get2 C2 server
domainmicrosoft-cnd-en.com
Get2 C2 server
domainmicrosoft-cnd.com
Get2 C2 server
domainmicrosoft-debug-098.com
Get2 C2 server
domainmicrosoft-home-en.com
Get2 C2 server
domainmicrosoft-hub-us.com
Get2 C2 server
domainmicrosoft-live-us.com
Get2 C2 server
domainmicrosoft-online-en-us.com
Get2 C2 server
domainmicrosoft-sback-server.com
Get2 C2 server
domainmicrosoft-store-drm-server.com
Get2 C2 server
domainmicrosoft-store-en.com
Get2 C2 server
domainmicrosoft-ware.com
Get2 C2 server
domainmira-store.com
Get2 C2 server
domainmop-shere.com
Phishing server
domainms-break.com
Get2 C2 server
domainms-debug-services.com
Get2 C2 server
domainms-downloading.com
Phishing server
domainms-en-microsoft.com
Get2 C2 server
domainms-global-store.com
Get2 C2 server
domainms-home-live.com
Get2 C2 server
domainms-home-store.com
Get2 C2 server
domainms-pipes-service.com
Get2 C2 server
domainms-rdt.com
Get2 C2 server
domainms-upgrades.com
Get2 C2 server
domainmslinks-downloads.com
Phishing server
domainmsonebox.com
Get2 C2 server
domainmusic-server11-facebook.com
SDBbot C2 server
domainmusic-server17-facebook.com
SDBbot C2 server
domainnear-back.com
Get2 C2 server
domainnear-fast.com
Get2 C2 server
domainnellscorp.com
Get2 C2 server
domainnels-ltd.com
Get2 C2 server
domainnews-37876-mshome.com
SDBbot C2 server
domainnews-389767-mshome.com
SDBbot C2 server
domainnews-server-drm-google.com
SDBbot C2 server
domainnews-server17-yahoo.com
SDBbot C2 server
domainnffsd-corp.com
Get2 C2 server
domainnone-class.com
Get2 C2 server
domainoffice-en-service.com
Get2 C2 server
domainoffice-teml-en.com
Get2 C2 server
domainoffice365-en-gb.com
Get2 C2 server
domainoffice365-eu-update.com
Get2 C2 server
domainoffice365-update-en-gb.com
Get2 C2 server
domainoffice365-update-en.com
Get2 C2 server
domainoffice365-update-eu.com
Get2 C2 server
domainoffice365-us-update.com
Get2 C2 server
domainone-drive-ms.com
Phishing server
domainone-drive-storage.com
Phishing server
domainone-drives.com
Phishing server
domainonedrive-cdn.com
Phishing server
domainonedrive-download-en.com
Phishing server
domainonedrive-download.com
Phishing server
domainonedrive-en-eu.com
Phishing server
domainonedrive-en-live.com
Phishing server
domainonedrive-en.com
Phishing server
domainonedrive-eu.com
Phishing server
domainonedrive-fn.com
Phishing server
domainonedrive-live-en.com
Phishing server
domainonedrive-sd.com
Phishing server
domainonedrive-sdn.com
Phishing server
domainonedrive-sn.com
Phishing server
domainonedrive-us-en.com
Phishing server
domainonedrives-en-live.com
Phishing server
domainonehub-cdn.com
Phishing server
domainonehub-en.com
Phishing server
domainonesdrives.com
Phishing server
domainonline-office365.com
Get2 C2 server
domainonms-home.com
Get2 C2 server
domainown-eu-cloud.com
Phishing server
domainowncloud-cdn.com
Phishing server
domainpersonal-dss.com
Get2 C2 server
domainpssd-ltdgroup.com
Get2 C2 server
domainrapid-stores.com
Get2 C2 server
domainrdmsom.com
Get2 C2 server
domainres-backup.com
Get2 C2 server
domainreselling-corp.com
Get2 C2 server
domainriver-store.com
Phishing server
domainrmt-downloads.com
Phishing server
domains3-ap-southeast-1-amazonaws.com
SDBbot C2 server
domains3-ap-southeast-2-amazonaws.com
SDBbot C2 server
domains77657453-onedrive.com
SDBbot C2 server
domains89065339-onedrive.com
SDBbot C2 server
domainsdff-corp.com
Get2 C2 server
domainsee-back.com
Get2 C2 server
domainselling-group.com
Get2 C2 server
domainshare-clouds.com
Phishing server
domainshare-downloading.com
Phishing server
domainshare-stores.com
Phishing server
domainshared-cnd.com
Phishing server
domainshared-download.com
Phishing server
domainshared-downloads.com
Phishing server
domainshared-filez.com
Phishing server
domainsharefile-cnd.com
Phishing server
domainsharefile-us.com
Phishing server
domainsharefiles-download.com
Phishing server
domainsharefiles-en.com
Phishing server
domainsharefiles-eu.com
Phishing server
domainsharefileszz.com
Get2 C2 server
domainshares-cdns.com
Phishing server
domainshares-cloud.com
Phishing server
domainsharespoint-en.com
Phishing server
domainshort-share.com
Phishing server
domainshortcut-links.com
Phishing server
domainshr-links.com
Get2 C2 server
domainsiron-del.com
Get2 C2 server
domainsl-downloads.com
Phishing server
domainstat-downloads.com
Phishing server
domainstatic-downloads.com
Get2 C2 server
domainstatic-google-analtyic.com
SDBbot C2 server
domainstore-000846-live.com
SDBbot C2 server
domainstore-003774-live.com
SDBbot C2 server
domainstore-downloads.com
Phishing server
domainstore-in-box.com
Get2 C2 server
domainstt-box.com
Get2 C2 server
domainstudio-stlsdr.com
Get2 C2 server
domainsync-share.com
Phishing server
domainsyncdownload.com
Phishing server
domainsyncdownloading.com
Phishing server
domaintnrff-home.com
Get2 C2 server
domaintoppon-studio.com
Get2 C2 server
domaintransff-reddon.com
Get2 C2 server
domaintremd-space.com
Phishing server
domainupdate-ms-en-office365.com
Get2 C2 server
domainupdate-msoffice365.com
Get2 C2 server
domainupdate365-office-ens.com
Get2 C2 server
domainupgrade-ms-home.com
Get2 C2 server
domainurl-space.com
Phishing server
domainus-microsoft-store.com
SDBbot C2 server
domainusr-telemetry-microsoft.com
Get2 C2 server
domainwest-dat.com
Get2 C2 server
domainwindows-afx-update.com
Get2 C2 server
domainwindows-appstore-en.com
Get2 C2 server
domainwindows-avs-update.com
Get2 C2 server
domainwindows-cnd-update.com
Phishing server
domainwindows-dev-sec.com
Get2 C2 server
domainwindows-en-us-update.com
Get2 C2 server
domainwindows-fsd-update.com
Get2 C2 server
domainwindows-me-update.com
Get2 C2 server
domainwindows-msd-update.com
Get2 C2 server
domainwindows-office365.com
Get2 C2 server
domainwindows-se-update.com
Get2 C2 server
domainwindows-service-en.com
Get2 C2 server
domainwindows-service-us.com
Get2 C2 server
domainwindows-several-update.com
Get2 C2 server
domainwindows-sys-update.com
Get2 C2 server
domainwindows-update-02-en.com
Get2 C2 server
domainwindows-update-sdbt.com
Get2 C2 server
domainwindows-update-sdfw.com
Get2 C2 server
domainwindows-update-sys.com
Get2 C2 server
domainwindows-upgrade-en.com
Get2 C2 server
domainwindows-wsus-en.com
Get2 C2 server
domainwindows-wsus-update.com
Get2 C2 server
domainwire-share.com
Get2 C2 server
domainwpad-home.com
Get2 C2 server
domainxbox-en-cnd.com
Get2 C2 server
domainxbox-ms-store-debug.com
SDBbot C2 server

Threat ID: 682c7adce3e6de8ceb778249

Added to database: 5/20/2025, 12:51:40 PM

Last enriched: 6/19/2025, 2:20:39 PM

Last updated: 7/31/2025, 5:04:39 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats