Member-only story
TA505 Threat Hunting: Advanced Queries for Detecting Malware and Cyber Attacks
TA505 is a financially motivated cybercriminal threat group that has been active since at least 2015, often referred to as GOLD TAHOE or FIN11. Known for its adaptability and large-scale operations, TA505 specializes in distributing malware at scale and has been linked to some of the largest email phishing campaigns in history.
Historically, GOLD TAHOE operated as a “malware-as-a-service” provider, enabling other threat actors to deploy ransomware, banking Trojans, and information stealers through its sophisticated infrastructure. TA505 is particularly notorious for its use of advanced social engineering tactics and its rapid adoption of new malware families, including the infamous Dridex, Locky ransomware, and later Clop ransomware.
The group’s focus on monetization and its willingness to target diverse sectors, including finance, retail, healthcare, and critical infrastructure, makes it a persistent and evolving threat on the global cybersecurity landscape.
In this blog we are going to do some threat hunting for TA505 using Azure/XDR.
KQL:
Here we will investigate to see if we can detect any delivery Technique of TA505 ransomware:
// Detect potential macro-enabled XLS files with suspicious API usage
DeviceFileEvents
| where FileName endswith “.xls” or FileName endswith “.xlsm”
| where FileSize > 700 * 1024 // File size > 700KB
| join kind=inner (…