TA551

Also known as: GOLD CABIN · Shathak

Overview

TA551 is a financially-motivated threat group that has been active since at least 2018. The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns.

Capabilities

Custom malware/implant development — ATT&CK: 4 attributed custom malware families

TTPs — 14 techniques across 5 tactics

Stealth

T1027.003 Steganography
T1027.010 Command Obfuscation
T1036 Masquerading
T1218.005 Mshta
T1218.010 Regsvr32
T1218.011 Rundll32

Command and Control

T1071.001 Web Protocols
T1105 Ingress Tool Transfer
T1132.001 Standard Encoding
T1568.002 Domain Generation Algorithms

Tools & malware (5)

QakBot · IcedID · Valak · Sliver · Ursnif

Reporting (2)

TA551: Email Attack Campaign Switches from Valak to IcedID — Duncan, B
Evolution of Valak, from Its Beginnings to Mass Distribution — Duncan, B