Ta544

Threat Actor updated 4 months ago (2024-06-24T12:17:36.894Z)

Download STIX

Preview STIX

TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, also known as Gozi, is among the variety of malware tools that TA544 has deployed over the years. More recently, TA544 has been associated with the distribution of a sophisticated second-stage downloader called WikiLoader. Throughout 2022, TA544 was observed targeting Italian organizations with IcedID and Ursnif. In December 2022, Proofpoint first identified WikiLoader being delivered by TA544, primarily aimed at Italian firms. Following this initial identification, multiple subsequent campaigns were observed, the majority of which continued to target Italian organizations. These operations were part of broader phishing campaigns that also involved another threat actor, TA551. In addition to these activities, TA544 has been implicated in abusing the vulnerability CVE-2023-36025, as reported by a Proofpoint researcher. This abuse was part of a campaign involving Remcos, a remote access Trojan used by various threat actors over the years to remotely control and monitor compromised Windows devices. This activity coincided with a surge in campaigns distributing DarkGate and PikaBot, where TA544 leveraged new variants of loader malware, such as IDAT Loader, to deploy Remcos RAT or SystemBC malware.

Description last updated: 2024-03-20T15:16:53.208Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Ursnif is a possible alias for Ta544. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for ra	5
Wikiloader is a possible alias for Ta544. WikiLoader, also known as WailingCrab, is a downloader malware first discovered in 2022 by Proofpoint and made public in 2023. This sophisticated malicious software is typically sold in underground marketplaces by an initial access broker (IAB) and is often spread through traditional phishing techni	4
IcedID is a possible alias for Ta544. IcedID is a type of malware, malicious software designed to exploit and damage computer systems. It has been identified in association with various other malwares such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, and Pikabot. The IcedID IntBot Loader (int-bot.dll) is	2
Gozi is a possible alias for Ta544. Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Trojan

Downloader

Proofpoint

Loader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The TA551 Threat Actor is associated with Ta544. TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma	Unspecified	3

Source Document References

Information about the Ta544 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	a year ago	Exploit for Critical Windows Defender Bypass Goes Public
CSO Online	2 years ago	Researchers warn of two new variants of potent IcedID malware loader
CERT-EU	10 months ago	New JinxLoader Targeting Users with Formbook and XLoader Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Novel attack infrastructure established by Russian hackers to bypass detection
CERT-EU	a year ago	Russia, Serbia targeted by Space Pirates threat group
CERT-EU	a year ago	Out of the Sandbox : WikiLoader Digs Sophisticated Evasion – Global Security Mag Online
DARKReading	a year ago	Proof of Concept Exploit Publicly Available for Critical Windows SmartScreen Flaw
CERT-EU	7 months ago	New CHAVECLOAK Banking Trojan Targets Brazilians via Malicious PDFs
CERT-EU	9 months ago	JinxLoader Malware: Next-Stage Payload Threats Revealed
SecurityIntelligence.com	a year ago	The Trickbot/Conti Crypters: Where Are They Now?
CERT-EU	a year ago	Novel WikiLoader malware examined
CERT-EU	a year ago	Python versions of stealer malware discovered targeting Facebook business accounts
Securityaffairs	a year ago	WikiLoader malware-as-a-service targets Italian organizations
DARKReading	a year ago	Exploit for Critical Windows Defender Bypass Goes Public
CERT-EU	a year ago	Updated WailingCrab malware loader ups stealth
CERT-EU	a year ago	Weaponized Excel, OneNote, or PDF Attachments Deliver New WikiLoader Malware
BankInfoSecurity	a year ago	New Malware WikiLoader Targeting Italian Organizations