Author: James Barnett
On 2 June, security researcher Brad Duncan reported on a malspam campaign from the threat actor known as Shathak (a.k.a. TA551) distributing the IcedID banking trojan.1
We previously reported on an IcedID campaign in November 2020 in which Shathak distributed the malware via Japanese language malspam.2 We also published on a campaign in July 2020 wherein threat actors used a Valak downloader to deliver IcedID.3
IcedID is a banking trojan that uses web injection and redirection attacks to steal banking credentials, credit cards, and other financial information from victims who believe they are entering their information into a secure website.
The emails in this campaign followed Shathak’s standard operating procedure of distributing malicious Microsoft Word documents within password-protected ZIP file attachments. The report did not provide examples of the emails themselves, but based on previous campaigns, Shathak likely used falsified replies as subject lines and included a short lure in the body text that prompted the recipient to open the attached ZIP file using a numerical password included in the email.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.