Malspam campaign spoofs email chains to install IcedID info-stealer

  • In a new phishing marketing campaign, the offending email messages arrive in inboxes with connected, password-guarded zip archives that contains Word files. (Image by Justin Sullivan/Getty Visuals)

    A phishing campaign has been attempting to disguise spam as an email chain, working with authentic messages taken from email shoppers on previously compromised hosts.

    Cybercriminal team TA551, aka Shathak, is powering the procedure, which is regarded to distribute data-stealing malware these kinds of as Ursnif, Valak and IcedID, in accordance to a blog site post nowadays from the Unit 42 menace study workforce at Palo Alto Networks.

    The marketing campaign normally targets English-speaking victims and dates again as considerably as Feb. 4, 2019. On the other hand, far more not too long ago it has expanded its targets to include things like German, Italian and Japanese speakers. In the previous, the attackers occasionally would use Ursnif and Valak as downloaders to secondarily distribute IcedID, but because July 2020 it appears they have centered solely on IcedID, offering it as an alternative by way of destructive macros.

    The offending email messages get there in inboxes with attached, password-safeguarded zip archives containing Word documents. If the receiver opens the doc and allows the destructive macros inside, the infection chain commences and the IcedID malware is installed.

    “TA551 malspam spoofs legit email chains primarily based on knowledge retrieved from earlier infected Windows hosts. It sends copies of these email chains to recipients of the unique email chain,” Threat Intelligence Analyst Brad Duncan wrote in the blog. “The spoofed email contains a short message as the most latest item in the chain. This is a generic assertion asking the receiver to open an hooked up ZIP archive making use of the equipped password. File names for the ZIP archives use the name of the organization staying spoofed in the email.”

    Unit 42 has famous that given that Oct. 20, 2020, TA551’s website traffic styles have “changed substantially,” and artifacts generated during bacterial infections also have a little bit improved. “These changes may be an energy by malware builders to evade detection. At the pretty least, they may confuse a person conducting forensic assessment on an contaminated host,” claimed Duncan.

    Device 42 anticipates the TA551 marketing campaign will evolve further more in the coming months.