Contact Contact Us

Hacker Group TA554 Pairs SLoad And Ramnit Banking Trojan In UK and Italy Attacks

Hacker group TA554 has been using the sLoad dropper to distribute the Ramnit banking trojan in attacks targeted at financial institutions in the UK and Italy. Victims received a spear phishing email that contained a link to a compromised website, which downloaded a zip file with a .lnk shortcut file. Opening the .lnk file then run PowerShell with obfuscated commands and downloaded the sLoad dropper, which manipulated BITSAdmin and certutil to install Ramnit. To avoid detection, TA554 uses a combination of built-in Windows products, including PowerShell, BITSAdmin, and certutil.

References:
[1] Banking Trojan Delivered By Lolbins: How the Ramnit Trojan Spreads Via SLoad In A Cyberattack

Ensign InfoSecurity Singapore
6 Commonwealth Lane
Singapore 149547

Tel: +65 6788 2882
Fax: +65 6788 3883