2020-08-20 - NOTES ON RECENT TA551/SHATHAK ACTIVITY:
- This deals with recent waves of malspam with password-protected zip archives containing TA551 (Shathak) Word docs pushing IcedID.
NOTES ON GEOFENCING:
- I've been able to infect lab hosts using IP addresses based in the US, Canada, and the UK, so URLs ending in ".cab" for the installer DLL files are not just geofenced to the US.
NOTES ON THE DOCS:
- In the past week or so, I've noticed two sizes of Word docs from this malspam. For today (2020-08-20), there's a group Word docs that's approximately 72 kB to 74 kB in size, and there's another group approximately 115 kB to 116 kB in size.
72 kB to 74 kB examples:
- 72,164 bytes - command 08.20.2020.doc
- 72,163 bytes - decree 08.20.20.doc
- 72,424 bytes - decree.08.20.doc
- 72,195 bytes - enjoin.08.20.doc
- 72,199 bytes - figures,08.20.doc
- 72,442 bytes - file,08.20.20.doc
- 72,098 bytes - input_08.20.doc
- 72,023 bytes - inquiry_08.20.20.doc
- 72,017 bytes - instrument indenture-08.20.doc
- 72,107 bytes - legal agreement,08.20.20.doc
- 72,544 bytes - report 08.20.2020.doc
- 72,442 bytes - report 08.20.2020.doc
- 74,030 bytes - report,08.20.2020.doc
- 72,194 bytes - rule_08.20.2020.doc
- 72,164 bytes - specifics_08.20.doc
- 72,163 bytes - statistics 08.20.doc
115 kB to 116 kB examples:
- 116,208 bytes - decree.08.20.doc
- 115,867 bytes - facts 08.20.doc
- 115,443 bytes - instruct,08.20.doc
- 115,444 bytes - ordain-08.20.doc
- 115,876 bytes - particulars-08.20.doc
- 115,810 bytes - require 08.20.doc
The smaller size 72-74 kB docs cause the following:
- The following artifacts dropped:
- C:\Users\Public\in.com (copy of MSHTA.EXE)
- Installer DLL files always saved to:
The bigger 115-116 kB docs cause the following:
- No artifacts dropped to the C:\Users\Public\ directory.
- Installer DLL files saved to the same directory as the word document as a randomly-named file with a .jpg file extension. Examples:
NOTES ON THE INSTALLER DLL FILES:
- The installer DLLs are run with the regsvr32.exe command. Sometimes I'll see the -s or /s flag, but lately, it's run without any flags.
- The installer DLLs notably change throughout the day.
- Maybe every hour or so (I don't know because I haven't timed it yet) the DLL files are updated with a different domain to get background.png over HTTPS. These domains end in .casa, .cyou, or .top (and maybe some others).