Introduction TA551 (also known as Shathak) represents a threat actor behind malspam that has pushed different families of malware over the past few years. So far this week, TA551 is pushing IcedID (Bokbot).
Images from an infection
Indicators of Compromise (IOCs) The infection process was similar to my previous diary about TA551 from August 2021, but this time it delivered IcedID instead of BazarLoader. Associated malware: SHA256 hash: d68fb04c96e925efcdb3484669365bed0cda22a272e486e99a43f9626019d31c
SHA256 hash: 0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5
SHA256 hash: c7f40608ce8a3dda25c13d117790d08ef757b07b8c2ccb645a27a71adc322fb2
SHA256 hash: d54a870ba5656c5d3ddfab5f7f325c2fb8ee256b25e2872847c5ff244bc6ee6e
SHA256 hash: cfc202b44509f2f607d365858a8218dfdc6b26f8087efcc5e46f4fef9ab53705
SHA256 hash: c340ae2dde2bd8fbae46b15abef0c7e706fe8953c837329bde409959836d6510
IcedID traffic:
Final words IcedID can be followed by Cobalt Strike when an infected host is part of an Active Directory (AD) environment. These types of infections can deliver ransomware as a final payload in real-world environments. But decent spam filters and best security practices can help you avoid IcedID. Default security settings in Windows 10 and Microsoft Office 2019 should prevent these types of infections from happening. --- Brad Duncan |
Brad 435 Posts ISC Handler Dec 3rd 2021 |
Thread locked Subscribe |
Dec 3rd 2021 6 months ago |
Sign Up for Free or Log In to start participating in the conversation!