2020-08-20 - Notes on recent TA551 (shathak) activity

1. 2020-08-20 - NOTES ON RECENT TA551/SHATHAK ACTIVITY:
2.  
3. - This deals with recent waves of malspam with password-protected zip archives containing TA551 (Shathak) Word docs pushing IcedID.
4.  
5. NOTES ON GEOFENCING:
6.  
7. - I've been able to infect lab hosts using IP addresses based in the US, Canada, and the UK, so URLs ending in ".cab" for the installer DLL files are not just geofenced to the US.
8.  
9. NOTES ON THE DOCS:
10.  
11. - In the past week or so, I've noticed two sizes of Word docs from this malspam. For today (2020-08-20), there's a group Word docs that's approximately 72 kB to 74 kB in size, and there's another group approximately 115 kB to 116 kB in size.
12.  
13. 72 kB to 74 kB examples:
14.  
15. - 72,164 bytes - command 08.20.2020.doc
16. - 72,163 bytes - decree 08.20.20.doc
17. - 72,424 bytes - decree.08.20.doc
18. - 72,195 bytes - enjoin.08.20.doc
19. - 72,199 bytes - figures,08.20.doc
20. - 72,442 bytes - file,08.20.20.doc
21. - 72,098 bytes - input_08.20.doc
22. - 72,023 bytes - inquiry_08.20.20.doc
23. - 72,017 bytes - instrument indenture-08.20.doc
24. - 72,107 bytes - legal agreement,08.20.20.doc
25. - 72,544 bytes - report 08.20.2020.doc
26. - 72,442 bytes - report 08.20.2020.doc
27. - 74,030 bytes - report,08.20.2020.doc
28. - 72,194 bytes - rule_08.20.2020.doc
29. - 72,164 bytes - specifics_08.20.doc
30. - 72,163 bytes - statistics 08.20.doc
31.  
32. 115 kB to 116 kB examples:
33.  
34. - 116,208 bytes - decree.08.20.doc
35. - 115,867 bytes - facts 08.20.doc
36. - 115,443 bytes - instruct,08.20.doc
37. - 115,444 bytes - ordain-08.20.doc
38. - 115,876 bytes - particulars-08.20.doc
39. - 115,810 bytes - require 08.20.doc
40.  
41. The smaller size 72-74 kB docs cause the following:
42.  
43. - The following artifacts dropped:
44. - C:\Users\Public\in.com (copy of MSHTA.EXE)
45. - C:\Users\Public\in.html (HTML file containing obfuscated JavaScript code)
46.  
47. - Installer DLL files always saved to:
48. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
49.  
50. The bigger 115-116 kB docs cause the following:
51.  
52. - No artifacts dropped to the C:\Users\Public\ directory.
53.  
54. - Installer DLL files saved to the same directory as the word document as a randomly-named file with a .jpg file extension. Examples:
55. - b0635dfb.jpg
56. - b72e0f4c.jpg
57. - ce81b018.jpg
58. - f1a30027.jpg
59. - f8015423.jpg
60.  
61. NOTES ON THE INSTALLER DLL FILES:
62.  
63. - The installer DLLs are run with the regsvr32.exe command. Sometimes I'll see the -s or /s flag, but lately, it's run without any flags.
64.  
65. - The installer DLLs notably change throughout the day.
66.  
67. - Maybe every hour or so (I don't know because I haven't timed it yet) the DLL files are updated with a different domain to get background.png over HTTPS. These domains end in .casa, .cyou, or .top (and maybe some others).