TA551 (aka Shathak) is an email-based malware delivery drive that is actively targeting English-speakers. Operating since early 2020, TA551 is known to disseminate various malware strains, such as Ursnif and Valak.

Fremont, CA: In a recent publication, researchers said TA551’s drive—from mid-July to November 2020—was seen spreading the IcedID information stealer. The group is yet using the very infection chain they employed from mid-July to November 2020. It employed a tricked email as bait, and these emails are reclaimed from email customers on earlier infected hosts.

The email information included an attached ZIP archive and a message warning the user of a password required to unlock the attachment. The ZIP archive carries a Microsoft Word document with macros. If the victim permits macros on an exposed Windows computer, the victim’s host downloads an installer DLL for IcedID malware. Till October 27, 2020, the drive simply targeted English-speaking victims. After some time, the campaign began targeting different targets, including Japanese-speaking victims as well. Lately, an ElectroRAT stealer for macOS, Windows, and Linux was observed, which went undetected for approximately a whole year. Besides, PyMicropsia stealer associated with AridViper (a hacking group) was observed operating in the Middle East.

The application of data stealers is increasing and cybercriminals are frequently adopting such wicked means for numerous malicious intentions, such as surveillance, intelligence collection, and information harvesting. Thus, specialists recommend having spam filtering, decorous system administration, accompanying the latest Windows hosts, for more reliable security.