Application security, Malware, Phishing

Malspam campaign spoofs email chains to install IcedID info-stealer

BlackBerry user Douglas Philips checks emails on his BlackBerry in 2007 in San Francisco, California. A new tool available on the dark web allows cyberattackers to abuse a special feature of the Internet Message Access Protocol used for remote email access.  (Photo by Justin Sullivan/Getty Images)

A phishing campaign has been attempting to disguise spam as an email chain, using genuine messages taken from email clients on previously compromised hosts.

Cybercriminal group TA551, aka Shathak, is behind the operation, which is known to spread information-stealing malware such as Ursnif, Valak and IcedID, according to a blog post today from the Unit 42 threat research team at Palo Alto Networks.

The campaign typically targets English-speaking victims and dates back as far as Feb. 4, 2019. However, more recently it has expanded its targets to include German, Italian and Japanese speakers. In the past, the attackers sometimes would use Ursnif and Valak as downloaders to secondarily distribute IcedID, but since July 2020 it appears they have focused exclusively on IcedID, delivering it instead via malicious macros.

The offending emails arrive in inboxes with attached, password-protected zip archives containing Word documents. If the recipient opens the doc and enables the malicious macros within, the infection chain commences and the IcedID malware is installed.

"TA551 malspam spoofs legitimate email chains based on data retrieved from previously infected Windows hosts. It sends copies of these email chains to recipients of the original email chain," Threat Intelligence Analyst Brad Duncan wrote in the blog. "The spoofed email includes a short message as the most recent item in the chain. This is a generic statement asking the recipient to open an attached ZIP archive using the supplied password. File names for the ZIP archives use the name of the company being spoofed in the email."

Unit 42 has noted that since Oct. 20, 2020, TA551's traffic patterns have "changed significantly," and artifacts generated during infections also have slightly changed. "These changes may be an effort by malware developers to evade detection. At the very least, they might confuse someone conducting forensic analysis on an infected host," said Duncan.

Unit 42 anticipates the TA551 campaign will evolve further in the coming months.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.