ETDA ThaiCERT
Report
Search
Home > List all groups > TA554

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: TA554

NamesTA554 (Proofpoint)
TH-163 (Yoroi)
Country[Unknown]
MotivationFinancial crime
First seen2017
Description(Proofpoint) Since May 2018, Proofpoint researchers have observed email campaigns using a new downloader called sLoad. sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.

While initial versions of sLoad appeared in May 2018, we began tracking the campaigns from this actor (internally named TA554) since at least the beginning of 2017.
ObservedSectors: Financial.
Countries: Canada, Italy, UK.
Tools usedDarkVNC, Godzilla, Gootkit, Gozi ISFB, PsiXBot, Ramnit, sLoad, Snatch, Living off the Land.
Information<https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy>
<https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/>
<https://blog.dynamoo.com/2017/02/highly-personalised-malspam-making.html>

Last change to this card: 29 April 2020

Download this actor card in PDF or JSON format

Previous: TA516
Next: Tiny Spider

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key