cyber_threat_intelligence/actors/TA551/README.md

TA551 - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as TA551. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.ta551

Campaigns

The following campaigns are known and can be associated with TA551:

• Cobalt Strike
• DarkVNC
• Hancitor
• ...

There are 1 more campaign items available. Please use our online service to access the data.

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TA551:

• ES
• DE
• FR
• ...

There are 9 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of TA551.

ID	IP address	Hostname	Campaign	Confidence
1	8.209.76.110	-	Hancitor	High
2	23.82.141.241	-	Cobalt Strike	High
3	23.106.223.174	-	-	High
4	43.128.225.230	-	Hancitor	High
5	43.128.229.136	-	Hancitor	High
6	43.128.232.152	-	Hancitor	High
7	43.129.239.78	-	Hancitor	High
8	43.133.160.144	-	Hancitor	High
9	45.8.146.139	vm580483.stark-industries.solutions	IcedID	High
10	45.89.67.166	srbtv.ru	-	High
11	45.95.11.151	vm220095.pq.hosting	-	High
12	45.95.11.153	vm284420.pq.hosting	-	High
13	45.95.11.154	4ser-1640356836.4server.su	-	High
14	45.95.11.155	slfk.lz	-	High
15	...	...	...	...

There are 58 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by TA551. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Weakness	Description	Confidence
1	T1006	CWE-21, CWE-22, CWE-23, CWE-36	Pathname Traversal	High
2	T1040	CWE-294	Authentication Bypass by Capture-replay	High
3	T1055	CWE-74	Injection	High
4	T1059	CWE-94, CWE-1321	Cross Site Scripting	High
5	T1059.007	CWE-79	Cross Site Scripting	High
6	...	...	...	...

There are 19 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by TA551. This data is unique as it uses our predictive model for actor profiling.

ID	Type	Indicator	Confidence
1	File	/admin/api/admin/articles/	High
2	File	/admin/api/theme-edit/	High
3	File	/admin/categories/view_category.php	High
4	File	/Admin/createClass.php	High
5	File	/admin/curriculum/view_curriculum.php	High
6	File	/admin/departments/view_department.php	High
7	File	/admin/maintenance/view_designation.php	High
8	File	/admin/problem_judge.php	High
9	File	/admin/reminders/manage_reminder.php	High
10	File	/admin/sales/manage_sale.php	High
11	File	/admin/sales/view_details.php	High
12	File	/admin/suppliers/view_details.php	High
13	File	/admin/user/manage_user.php	High
14	File	/admin/userprofile.php	High
15	File	/admin/voters_row.php	High
16	File	/api/browserextension/UpdatePassword/	High
17	File	/application/views/themeOptions/update.php	High
18	File	/attachments	Medium
19	File	/balance/service/list	High
20	File	/classes/Users.php	High
21	File	/config/myfield/test.php	High
22	File	/data/app	Medium
23	File	/dev/snd/seq	Medium
24	File	/diagnostic/login.php	High
25	File	/etc/gsissh/sshd_config	High
26	File	/etc/master.passwd	High
27	File	/etc/passwd	Medium
28	File	/goform/WifiBasicSet	High
29	File	/hrm/controller/login.php	High
30	File	/login	Low
31	File	/logs/sql-error.log	High
32	File	/mogu-picture/file/uploadPicsByUrl	High
33	File	/pages/save_user.php	High
34	File	/password/reset	High
35	File	/plugin/getList	High
36	File	/register/abort	High
37	File	/reviewer/system/system/admins/manage/users/user-update.php	High
38	File	/rukovoditel/index.php?module=logs/view&type=php	High
39	File	/send_order.cgi?parameter=access_detect	High
40	File	/webservices/download/index.php	High
41	File	actions.hsp	Medium
42	File	adclick.php	Medium
43	File	AddAppNetworksActivity.java	High
44	File	AddAppNetworksFragment.java	High
45	File	admin.php	Medium
46	File	admin/ajax.attachment.php	High
47	File	admin/article_save.php	High
48	File	admin/make_payments.php	High
49	File	admin/panels/uploader/admin.uploader.php	High
50	File	admin/products/controller.php?action=add	High
51	...	...	...

There are 448 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

• https://isc.sans.edu/diary/28092
• https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884
• https://isc.sans.edu/diary/Monster+Libra+%28TA551Shathak%29+--%3E+IcedID+%28Bokbot%29+--%3E+Cobalt+Strike+%26+DarkVNC/28974
• https://isc.sans.edu/diary/Monster+Libra+%28TA551Shathak%29+pushes+IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28934
• https://isc.sans.edu/diary/rss/27738
• https://isc.sans.edu/forums/diary/More+TA551+Shathak+Word+docs+push+IcedID+Bokbot/26674/
• https://isc.sans.edu/forums/diary/TA551+Shathak+Word+docs+push+IcedID+Bokbot/26438/
• https://www.malware-traffic-analysis.net/2021/09/14/index.html

Literature

The following articles explain our unique predictive cyber threat intelligence:

• VulDB Cyber Threat Intelligence Documentation
• Cyber Threat Intelligence - Early Anticipation of Attacks

License

(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!