malware_traffic

2020-08-20 - Notes on recent TA551 (shathak) activity

Aug 20th, 2020 (edited)
1,281
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-08-20 - NOTES ON RECENT TA551/SHATHAK ACTIVITY:
  2.  
  3. - This deals with recent waves of malspam with password-protected zip archives containing TA551 (Shathak) Word docs pushing IcedID.
  4.  
  5. NOTES ON GEOFENCING:
  6.  
  7. - I've been able to infect lab hosts using IP addresses based in the US, Canada, and the UK, so URLs ending in ".cab" for the installer DLL files are not just geofenced to the US.
  8.  
  9. NOTES ON THE DOCS:
  10.  
  11. - In the past week or so, I've noticed two sizes of Word docs from this malspam. For today (2020-08-20), there's a group Word docs that's approximately 72 kB to 74 kB in size, and there's another group approximately 115 kB to 116 kB in size.
  12.  
  13. 72 kB to 74 kB examples:
  14.  
  15. - 72,164 bytes - command 08.20.2020.doc
  16. - 72,163 bytes - decree 08.20.20.doc
  17. - 72,424 bytes - decree.08.20.doc
  18. - 72,195 bytes - enjoin.08.20.doc
  19. - 72,199 bytes - figures,08.20.doc
  20. - 72,442 bytes - file,08.20.20.doc
  21. - 72,098 bytes - input_08.20.doc
  22. - 72,023 bytes - inquiry_08.20.20.doc
  23. - 72,017 bytes - instrument indenture-08.20.doc
  24. - 72,107 bytes - legal agreement,08.20.20.doc
  25. - 72,544 bytes - report 08.20.2020.doc
  26. - 72,442 bytes - report 08.20.2020.doc
  27. - 74,030 bytes - report,08.20.2020.doc
  28. - 72,194 bytes - rule_08.20.2020.doc
  29. - 72,164 bytes - specifics_08.20.doc
  30. - 72,163 bytes - statistics 08.20.doc
  31.  
  32. 115 kB to 116 kB examples:
  33.  
  34. - 116,208 bytes - decree.08.20.doc
  35. - 115,867 bytes - facts 08.20.doc
  36. - 115,443 bytes - instruct,08.20.doc
  37. - 115,444 bytes - ordain-08.20.doc
  38. - 115,876 bytes - particulars-08.20.doc
  39. - 115,810 bytes - require 08.20.doc
  40.  
  41. The smaller size 72-74 kB docs cause the following:
  42.  
  43. - The following artifacts dropped:
  44. - C:\Users\Public\in.com (copy of MSHTA.EXE)
  45. - C:\Users\Public\in.html (HTML file containing obfuscated JavaScript code)
  46.  
  47. - Installer DLL files always saved to:
  48. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
  49.  
  50. The bigger 115-116 kB docs cause the following:
  51.  
  52. - No artifacts dropped to the C:\Users\Public\ directory.
  53.  
  54. - Installer DLL files saved to the same directory as the word document as a randomly-named file with a .jpg file extension. Examples:
  55. - b0635dfb.jpg
  56. - b72e0f4c.jpg
  57. - ce81b018.jpg
  58. - f1a30027.jpg
  59. - f8015423.jpg
  60.  
  61. NOTES ON THE INSTALLER DLL FILES:
  62.  
  63. - The installer DLLs are run with the regsvr32.exe command. Sometimes I'll see the -s or /s flag, but lately, it's run without any flags.
  64.  
  65. - The installer DLLs notably change throughout the day.
  66.  
  67. - Maybe every hour or so (I don't know because I haven't timed it yet) the DLL files are updated with a different domain to get background.png over HTTPS. These domains end in .casa, .cyou, or .top (and maybe some others).
RAW Paste Data