Starting from July 2020 security researchers observe notable changes implemented to the TA551 (aka Shathak) malspam routine. Threat actors behind the TA551 campaign have switched from Ursnif and Valak distribution to IcedID banking Trojan infections.
TA551 is a long-lasting malspam campaign that emerged in February 2019. Initially, it was focused on delivering Ursnif (Gozi/Gozi-ISFB) banking Trojan to English-speaking victims. However, by the end of 2019, researchers observed Valak and IcedID regularly retrieved as second-stage malware. The audience also expanded throughout 2019 by targeting German, Italian and Japanese victims. In 2020, TA551 abandoned Ursnif and focused on the Valak loader. TA551 exclusively promoted Valak till July 2020, with ZLoader (Terdot, DELoader) malware rarely dropped as well. Finally, in Q2 2020, TA551 switched to IcedID banking Trojan propagation.
TA551 malicious routine relies on the spoofed email chains used as a lure. These email chains are fetched from earlier compromised Windows hosts and then sent to the original recipients. The malspam emails display a convincing text asking the victim to extract an attached password-protected ZIP archive. In case a victim is tricked, the archive pops up a macro-laced Word file. Once enabled, macros drop the DLL installer to the compromised PC, which in turn downloads the final malicious payload.
Starting from mid-July 2020, security researchers identified the TA551 malspam campaign exclusively distributing the IcedID banking Trojan. The first wave of infections targeted English users only. Then, on October 27, 2020, TA551 operators switched to Word document templates in Japanese, continuously targeting Japanese users for more than three weeks. In November 2020, the malspam again refocused to the English-speaking audience. Notably, the IcedID malware was frequently delivered as a follow-up payload by Ursnif and Valak. And only in Q2 2020, TA551 hackers decided to concentrate on IcedID as a first-stage payload.
IcedID (also known as BokBot) is a modular banking Trojan designed to steal banking data and credentials from targeted machines. First detected in 2017, IcedID was mainly focused on the U.S.banking providers and telecommunication vendors. Initially, the Trojan was delivered by Emotet, yet the new distribution patterns were acquired in time. The main infection method remains the same, being a malspam containing macro-laced Word files.
IcedID information stealer has a broad range of malicious capabilities accompanied by sophisticated evasion functionality. The Trojan hides its configuration with the help of steganography technique, simultaneously applying anti-VM and anti-debugging features. Upon infection and gaining persistence, the malware propagates through the compromised network, monitoring all the activity on the PC and conducting man-in-the-browser attacks. Such attacks follow three stages, including web-injection, proxy setup, and redirection. This approach allows IcedID to trick victims via social engineering, steal their banking details, and bypass multi-factor authentication while gaining access to bank accounts.
To enhance your proactive defense capabilities against TA551 malspam campaign, download a free Sigma rule released by Joseph Kamau on the Threat Detection Marketplace:
The rule has translations to the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness
EDR: Microsoft Defender ATP, Carbon Black
Tactics: Execution, Defense Evasion
Techniques: Signed Binary Proxy Execution (T1218)
Get a free subscription to the Threat Detection Marketplace and reach more curated SOC content compatible with the majority of SIEM, EDR, NTDR, and SOAR platforms. Enthusiastic to contribute to the threat hunting activities? Join our Threat Bounty program and share your own Sigma rules with the SOC Prime community.