{ "id": "5558471e-2501-4d73-85f0-20dbee7a7dc5", "created_at": "2026-04-06T00:19:06.050341Z", "updated_at": "2026-04-10T13:12:59.724436Z", "deleted_at": null, "sha1_hash": "e89b9b7877c66bdf37e26b1309936b0c8a8cfdb5", "title": "Innovation in Cyber Intrusions: The Evolution of TA544 - Yoroi", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1921987, "plain_text": "Innovation in Cyber Intrusions: The Evolution of TA544 - Yoroi\r\nPublished: 2023-12-18 · Archived: 2026-04-05 13:49:09 UTC\r\n12/18/2023\r\nIntroduction\r\nInnovation is not only an activity performed by companies, committed to protecting their perimeter, but is also an\r\nprovided by threat actors. In fact, while organizations are investing in cybersecurity operations, such buying or\r\nimplementing digital defenses, threat actors are implementing new strategies to bypass those protections.\r\nAn example of this type of innovation is TA544, also known as Narwhal Spider, Gold Essex, and recently known\r\nas Ursnif Gang, the notorious group hit Italy in past with massive attacks waves of Ursnif malware past years.\r\nDuring last weeks, we observed a significant evolution in its TTPS, involving the adoption of new cyber weapons\r\nin all its infection chain, such as the abandon of Ursnif in favor of HijackLoader, aka IDAT Loader, and the\r\ndelivery of other malware payloads, likes Remcos and SystemBC, passing through a massive abuse the DLL\r\nsideloading.\r\nIn the case under observation, the goal of the infection is to lead to the execution of the RAT (Remote\r\nAdministration Tool) RemCosRAT, a lightweight and legitimate software used for remote control which is used by\r\ncybercriminals to facilitate access to infected machines and purse its new goal of Initial Access broker inside the\r\nnew cybercriminal business model.\r\nFigure 1: TA544 brand new Infection Chain\r\nTechnical Analysis\r\nDuring last weeks, we observed a serious variation in TA544’s cyber intrusions. The new infection chain involves\r\nnew components and attack procedures. For this report, we take in exam the campaign spread on 21th November\r\nand reported by the independent Security Researcher @JAMESWT_MHT.\r\nhttps://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/\r\nPage 1 of 10\n\nThe infection chain starts with a malicious mail containing a malicious link, which downloads a URL file, having\r\nthe following static information.\r\nSHA256 e3454a40e1903c9369f74b323df4dda0931449a0321cd3ae21f3e8d0ff92b93c\r\nThreat IDAT Loader/Remcos\r\nThreat\r\nDescription\r\nUrl downloading IDAT Loader payload\r\nThis file can the treated as a Internet shortcut, containing a pointer to a remote resource in the Internet. Generally\r\nthis kind of threat contains a HTTP link, but a recent TTP is to abuse the SMB protocol and point to a public\r\nshare, so enabling the next stage of the infection.\r\nFigure 2: URL downloading the first executable\r\nSo, the URL downloads the first executable of the infection chain, which, after attribution, is a new version of\r\nIDAT Loader. This is a relatively new malware, first reported by Rapid7 researchers. During this infection chain,\r\nIDATLoader is widely used in all the intermediate stages in both Executable and DLL version.\r\nThe First IDATLoader packer is a trojanized executable written in C++, containing a simple, but sometimes\r\neffective anti-analysis trick: if the name is exactly the one indented to be by the attacker, the infection goes on,\r\notherwise the malware evades by showing a MessageBox of a generic error.\r\nThe algorithm is quite easy. The malware retrieves the file name thanks to the GetModuleFileNameW API call.\r\nThen it performs two checks on that filename. The first one is quite easy: it is only the lengh of the name\r\ncompared to the hardcoded one; the   second one iterates the characters of the filename and sums the hexadecimal\r\nvalue of each character with the next one, the result of this operation then is checked against an harcoded value in\r\nthe rdata section:\r\nhttps://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/\r\nPage 2 of 10\n\nFigure 3: Filename check\r\nIf these checks pass, the malware downloads the file hxxps://mailsbestfriend.]com/downloads/Filters/FILTER-SOLICIT.txt and from its content builds the string InitOnceExecuteOnce, which is a function used to execute the\r\nnext subroutine. This API call is extensively abused in this malware because of its callback design, even useful\r\nwhen dealing with the execution of shellcodes. Then it uses the same technique for VirtualAlloc and writes\r\nshellcode to the allocated memory, which is a trampoline to decode and inject another stage of shellcode inside the\r\nPLA.DLL library, a legit Microsoft library (Performance Logs and Alerts Library) which provides the ability to\r\ngenerate alert notifications based on performance counter thresholds.\r\nAfter dynamically loading the APIs in this new shellcode hosted inside PLA.dll, the malware downloads a png\r\nhosted on hxxps://i.imgur.]com/gmknwUN.png.  At this point the behaviour of IDAT Loader emerges: the\r\nshellcode is responsible for looking for “IDAT” structures inside the PNG file and extracting the next stage code.\r\nhttps://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/\r\nPage 3 of 10\n\nFigure 4: PNG containing the next stage using steganography.\r\nAt a first instance, this image seems to be a legit image, but in the bottom part there is not rendered well,\r\nindicating the possibility of an hidden payload, with a sort of steganography. This hypothesis is confirmed by\r\ninspecting the code and viewing a particular routine aimed at comparing the next 4 bytes after “IDAT” header of\r\nthe png file with a hardcoded value:\r\nFigure 5: Comparing the next 4 bytes after IDAT\r\nWhen the hardcoded value is checked, the malware starts the decryption and decompression routine for the next\r\nstage of the malware:\r\nhttps://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/\r\nPage 4 of 10\n\nFigure 6: Decryption and decompression\r\n Then, after the decoding phase, the malware writes all the extracted files inside the\r\n“%appdata%\\Roaming\\DebugApp_v1” directory. After writing the files, the malware invokes the API call\r\nCreateProcessW in order to execute “liveupdate.exe”, which will sideload “log.dll” library.\r\nFigure 7: Next stage containing the trojanized log.dll\r\nThe “log.dll” library is a trojanized dependency read by the “liveupdate.exe” process, which immediately reads\r\nthe “jouk.mpg”, an encrypted file containing the shellcode to load in memory aimed at propagating the infection\r\nto the next stages. This new piece of code has the goal to set as an environment variable with the same code\r\nthanks to the SetEnvironmentVariableW API call, in to retrieve it in the next stage through the\r\nGetEnvironmentVariableW call.\r\nThis new step is to is to run a cmd.exe process through the CreateProcessW API call inject a piece of shellcode,\r\nperformed though the Heaven’s Gate technique and a series of direct syscalls. Heaven's Gate technique in malware\r\nanalysis refers to a sophisticated method employed by malicious software to obscure its code and evade detection.\r\nThis technique involves switching between 32-bit and 64-bit execution modes during runtime, complicating the\r\nanalysis process. By utilizing specific opcodes, such as the 0x33 operand prefix, malware can dynamically\r\ntransition from 32-bit to 64-bit mode or vice versa. Direct syscalls, on the other hand, represent a low-level\r\nhttps://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/\r\nPage 5 of 10\n\napproach in malware execution, in this way, threat actors are able to bypass standard library functions, allowing\r\nmalware to interact with the operating system kernel at a more fundamental level.\r\nThe principal syscalls aimed at the injection routine are NtCreateSection, NtMapViewOfSection and\r\nNtWriteVirtualMemory to remotely load even this time the pla.dll library inside the just created cmd.exe process\r\nand then inject the shellcode inside its .text section.\r\nFigure 8: Using heaven’s gate and direct syscall for the injection.\r\nAn instance of direct syscall used by the malware is the case of NtWriteVirtualMemory, the routine aimed at write\r\nthe code inside the remote process’ memory. In the following figure, it represented the opcode of the syscall along\r\nwith the parameters pushed on the stack.\r\nhttps://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/\r\nPage 6 of 10\n\nFigure 9: NtWriteVirtualMemory through syscall to inject shellcode to cmd.exe\r\nAt this point, the malware writes a file in the temporary folder with a random name, which contains the RemCos\r\npayload with other configuration data and additional modules for IDAT Loader.\r\nFigure 10: Writing a file in %temp%\r\nThis data is decrypted using XOR with a hardcoded key. For the analysis sample is EC4837D0.\r\nFigure 11: Decryption of the temporary file.\r\nWhen the control passes to the cmd.exe process, the shellcode injected inside the pla.dll library.\r\nAt this point the shellcode sets the malware persistence through the creation of a LNK file pointing to the\r\n“%appdata%\\Roaming\\DebugApp_v1\\liveupdate.exe” file. This technique is quite effective because all the\r\nsecurity controls consider that kind of operation as legit because the liveupdate executable is legit.\r\nhttps://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/\r\nPage 7 of 10\n\nFigure 12: Setting up the persistence.\r\nAt this point, the malware goes on the infection chain by retrieving the temporary file written in the previous step\r\nand start the decryption of the Remcos payload contained inside that. The encryption is performed by using a\r\nXOR key 200 bytes-long, as shown in the following Figure.\r\nFigure 13: Decryption of the Remcos payload\r\nThen the malicious CMD process calls the VirtualAlloc, which allocates the memory to write the final shellcode.\r\nHowever, this long payload is injected inside another instance of the explorer.exe process created through the\r\nCreateProcessInternalW API call in suspended mode and injects that shellcode inside of it.\r\nFigure 14: NtWriteVirtualMemory through syscall to inject shellcode to explorer.exe\r\nInstead, for the injection of the Remcos payload, the malware uses the Heaven’s Gate as mentioned in the\r\nprevious stage. The routine is to create a new section inside the cmd.exe process through the NtCreateSection and\r\nthe map it on the target process through the NtMapViewOfSection syscall, with the code 0x28. This method\r\nworks because the malware points to the handle to new explorer.exe process.\r\nhttps://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/\r\nPage 8 of 10\n\nFigure 15: Mapping the Remcos Payload to exoplorer.exe\r\nThe last step of the analysis is to confirm that is Remcos malware. As report by many security firms, Remcos\r\nstores its configuration inside a resource, protecting it with a RC4 key long the first byte of that resource, and\r\nappended to the key there is the encrypted configuration:\r\nFigure 16: Remcos config\r\nConclusion\r\nTA544 has been a constant threat in the past years to Italian organizations, in this report we wanted to highlight\r\nthe importance to monitor the never-ending evolution of TTPs that occur to threat actors to elude defenses and be\r\none step ahead. In the recent weeks after the longstanding wave of Ursnif spam, TA544 has switched to using\r\nIDAT Loader and Remcos, while also trying for a moment SystemBC as reported by the independent security\r\nresearcher @JAMESWT_MHT\r\nhttps://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/\r\nPage 9 of 10\n\nThe evolution of the actor since 2017, when we started to monitor it is notable. This means that threat actors are\r\nrealizing that they need to improve and innovate their TTPs in order to maintain their competitiveness high. Now,\r\nit is evident that TA544 is specializing in IAaaS (Initial Access as a Service). In fact, if we think about the Ursnif\r\nmalware, we all know that has been designed to be as a Banking Trojan, but going on its evolution it is been\r\nevolved as backdoor for the Human Operated cyber intrusions as IAaaS and now with other RATs, like Remcos,\r\nSystemBC, etc.\r\nIndicators of Compromis\r\nHash\r\n2289f5e6c2e87cf4265ed7d05ef739d726ebd82614a1b856d4b5964834d307c9\r\n6e5db2efcad7fbacc72f1db53741d342a2524a481c4835885fe6c3a46e9036b3\r\ndd277db4beda582c70402c9163491da27fde7cba2906f15e5beb8b2a394c400b\r\ne02471f33d07a4f9046be6e7b15de68093bb72fdd15b61f3033aea57d9940108\r\nC2:\r\nlistpoints.]online:6090\r\nretghrtgwtrgtg.bounceme.]net:3839\r\nlistpoints.]click:7020\r\ndatastream.myvnc.]com:5225\r\ngservicese.]com:2718\r\ncenter.onthewifi.]com:8118\r\nYara Rules\r\nrule HijackLoader\r\n {\r\n meta:\r\n author = \"Yoroi Malware ZLab\"\r\n description = \"Rule for IDAT Loader inital sample\"\r\n last_updated = \"2023-11-27\"\r\n tlp = \"WHITE\"\r\n category = \"informational\"\r\n strings:\r\n $1 = {89 4D F4 C7 45 F8 00 00 00 00 C7 45 F? 00 00 00 00 8B 45 F? 8B 4D F4 0F B7 14 41 85 D2 74 ?? 8B 45 F\r\n $2 = {C7 45 FC 00 00 00 00 C7 45 F? 00 00 00 00 8B 45 F? 8D 14 00 8B 45 08 01 D0 0F B7 00 66 85 C0 74 ?? 8\r\n condition:\r\n any of them and uint16(0) == 0x5A4D\r\n}\r\nThis Report has been authored by Luigi Martire, Carmelo Ragusa, Giovanni Pirozzi and Marco Giorgi\r\nSource: https://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta54\r\n4/\r\nhttps://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20231219110155/https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/" ], "report_names": [ "innovation-in-cyber-intrusions-the-evolution-of-ta544" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cc045f52-bbdb-4fcc-8fbf-a0d8a7c5e64f", "created_at": "2022-10-25T16:07:24.519535Z", "updated_at": "2026-04-10T02:00:05.019918Z", "deleted_at": null, "main_name": "Narwhal Spider", "aliases": [ "Gold Essex", "Storm-0302" ], "source_name": "ETDA:Narwhal Spider", "tools": [ "Cutwail", "Pushdo" ], "source_id": "ETDA", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434746, "ts_updated_at": 1775826779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e89b9b7877c66bdf37e26b1309936b0c8a8cfdb5.pdf", "text": "https://archive.orkl.eu/e89b9b7877c66bdf37e26b1309936b0c8a8cfdb5.txt", "img": "https://archive.orkl.eu/e89b9b7877c66bdf37e26b1309936b0c8a8cfdb5.jpg" } }