TA551 Now Spreading IcedID Stealer via Spoofed Emails
TA551 (aka Shathak) is an email-based malware distribution campaign that is actively targeting English-speaking victims. Active since early 2020, TA551 is known to distribute multiple malware families, such as Ursnif and Valak.
What is happening?
In a fresh revelation, researchers said TA551’s campaign—from mid-July to November 2020—was found spreading the IcedID information stealer. The group is still using the same infection chain they used from mid-July to November 2020.
- It used a spoofed email as a lure, and these emails are retrieved from email clients on previously infected hosts.
- The email message contained an attached ZIP archive and a message alerting the user of a password needed to open the attachment. The ZIP archive contains a Microsoft Word document with macros.
- If the victim enables macros on an exposed Windows computer, the victim’s host downloads an installer DLL for IcedID malware.
- Till October 27, 2020, the campaign only targeted English-speaking victims. After some time, the campaign started targeting other targets, including Japanese-speaking victims as well.
Recent attacks using stealers
- Recently, an ElectroRAT stealer for macOS, Windows, and Linux was discovered, which went undetected for almost an entire year.
- In addition, PyMicropsia stealer linked to AridViper (a hacking group) was found active in the Middle East.
The use of information stealers is growing and cybercriminals are increasingly using such malicious tools for various malicious purposes, such as espionage, intelligence gathering, and data harvesting. Thus, experts suggest having spam filtering, proper system administration, along with up-to-date Windows hosts, for better protection. In addition, encrypt important data and segregate networks.