TA551/Shathak is a sophisticated cybercrime actor targeting endusers on a global scale. The group has distributed different malware families over time, but consistently used password-protected ZIP archives containing macro-enabled Office documents. Previous families distributed have included Ursnif and Valak, with IcedID distribution starting in summer 2020.
The Mimecast Threat Research Team has observed multiple TA551/ Shathak campaigns over recent months. TA551/Shathak spoofs legitimate email chains and subjects using mailbox data scraped from previously infected clients. It sends copies of these email chains to senders and recipients from the original email chain, attaching a password protected ZIP file. The password protected ZIP attachments contain a Microsoft Office file with macros to install
malware. This typically generates a URL ending with “.cab” that returns a binary.
[To read the entire report, please fill out the form to get your free copy]