TA551 also called Shathak is an email-based malware circulation project that frequently targets English-speaking victims. This project has actually intended German, Italian and Japanese speakers.
TA551 in the previous pushed various households of information-stealing malware like Ursnif and Valak. After mid-July 2020, this campaign has actually solely pressed IcedID malware, another info thief.
Chain of Events of TA551
TA551 continued to correspond in its infection process from mid-July to November 2020 (as revealed in the flow diagram listed below). The first lure is an email spoofing an email chain. These e-mail chains are obtained from e-mail clients on formerly contaminated hosts.
The message has actually a connected ZIP archive and a message informing the user of a password needed to open the accessory.
These waves of malspam every time targeted English-speaking victims up until Oct. 27, 2020. After the specialists began observing Japanese templates for the Word documents, TA551 regularly targeted Japanese-speaking victims from Oct. 27-Nov. 20, 2020.
After opening the ZIP archive, the victim discovers a Microsoft Word file with macros. If the victim enables macros on a vulnerable Windows computer, the victims host obtains an installer DLL for IcedID malware. This will contaminate a susceptible Windows computer system.
After approximately 3 weeks of Japanese-focused attacks, TA551 changed back to English-speaking victims starting on Nov. 24, 2020. Apart from the targeted group, TA551 continues to press IcedID as its malware payload.
Attributes of TA551
Organizations with sufficient spam filtering, proper system administration and up-to-date Windows hosts have a lesser danger of infection.
These changes potentially will be an attempt by malware designers to elude detection. At the really least, they may puzzle someone performing forensic analysis on a contaminated host.
From November 2020, specialists observed small modifications in artifacts produced throughout IcedID infections, consisting of that exterior of the TA551 project.
TA551 has actually altered traffic patterns. For a number of months prior to Oct. 2020, URLs generated by Word macros to retrieve installer binaries followed a visible pattern.
URLs end with. cab.
TA551 has actually dispersed different families of malware, consisting of Ursnif (Gozi/ISFB), Valak and IcedID.
TA551 malspam spoofs genuine e-mail chains based upon information recovered from formerly contaminated Windows hosts. It sends out copies of these e-mail chains to receivers of the original email chain.
The spoofed email contains a short message as the most current item in the chain. This is a generic statement asking the recipient to open an attached ZIP archive utilizing the provided password.
File names for the ZIP archives utilize the name of the company being spoofed in the email.
In 2020, experts observed emails with info.zip or request.zip as the attached ZIP archive names.
These password-protected ZIP attachments contain a Word file with macros to install malware.
File names for the drawn out Word files follow visible patterns.
URLs created by the associated Word macros likewise follow noticeable patterns.
Palo Alto Networks Next-Generation Firewall consumers are furthermore protected from this risk with the Threat Prevention security subscription, which detects the malware. AutoFocus customers can track this activity utilizing the TA551 and IcedID tags.
TA551 continued to be consistent in its infection procedure from mid-July to November 2020 (as shown in the circulation chart listed below). If the victim enables macros on a vulnerable Windows computer, the victims host recovers an installer DLL for IcedID malware. These waves of malspam every time targeted English-speaking victims until Oct. 27, 2020. After the experts began observing Japanese templates for the Word documents, TA551 consistently targeted Japanese-speaking victims from Oct. 27-Nov. TA551 has actually altered traffic patterns.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.