Author: Eric Patterson
TLP: WHITE
On 20 November, security researcher Brad Duncan reported on a malicious spam campaign from the threat actor known as Shathak (a.k.a. TA551) to distribute the IcedID banking trojan via emails written in Japanese.1
We previously reported on a campaign in July wherein threat actors used a Valak downloader to deliver IcedID.2
First discovered in 2017 by IBM X-Force researchers, IcedID (a.k.a. BokBot) is a modular banking trojan that uses man-in-the-browser attacks to steal banking credentials, credit card information and other financial data from victims.3
Based on the language in the email bodies, the threat actors appear to be targeting a Japanese-speaking audience, which could include individuals or organizations that are based in or conduct business with Japan.
The observed subject lures for this campaign are “Re: Speech of welcome” and both the message body and attached Microsoft Word document follow a template. The translated message body invites the recipient to “Please review that attached file” and provides a password to open the accompanying locked ZIP file. The compressed Word document within follows the naming convention <single_word MM.dd.YY.doc> (e.g. adjure-11.20.20.doc).
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://www.malware-traffic-analysis.net/2020/11/20/index.html
- https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–78
- https://securityintelligence.com/posts/breaking-the-ice-a-deep-dive-into-the-icedid-banking-trojans-new-major-version-release
