A phishing campaign has been attempting to disguise spam as an email chain, using genuine messages taken from email clients on previously compromised hosts.
Cybercriminal group TA551, aka Shathak, is behind the operation, which is known to spread information-stealing malware such as Ursnif, Valak and IcedID, according to a blog post today from the Unit 42 threat research team at Palo Alto Networks.
The campaign typically targets English-speaking victims and dates back as far as Feb. 4, 2019. However, more recently it has expanded its targets to include German, Italian and Japanese speakers. In the past, the attackers sometimes would use Ursnif and Valak as downloaders to secondarily distribute IcedID, but since July 2020 it appears they have focused exclusively on IcedID, delivering it instead via malicious macros.
The offending emails arrive in inboxes with attached, password-protected zip archives containing Word documents. If the recipient opens the doc and enables the malicious macros within, the infection chain commences and the IcedID malware is installed.
"TA551 malspam spoofs legitimate email chains based on data retrieved from previously infected Windows hosts. It sends copies of these email chains to recipients of the original email chain," Threat Intelligence Analyst Brad Duncan wrote in the blog. "The spoofed email includes a short message as the most recent item in the chain. This is a generic statement asking the recipient to open an attached ZIP archive using the supplied password. File names for the ZIP archives use the name of the company being spoofed in the email."
Unit 42 has noted that since Oct. 20, 2020, TA551's traffic patterns have "changed significantly," and artifacts generated during infections also have slightly changed. "These changes may be an effort by malware developers to evade detection. At the very least, they might confuse someone conducting forensic analysis on an infected host," said Duncan.
Unit 42 anticipates the TA551 campaign will evolve further in the coming months.