Watch Out for the Malspam Attack That Spreads the IcedID Info Stealer
Security researchers spotted a new malware campaign in the wild in early 2021. The new push conducted by the bad actors behind it uses a fake chain email to disguise a big phishing e-mail spam campaign.
To lend credibility to their efforts, the actors behind this new attack use real, genuine e-mail messages, lifted from the inboxes of victims who had already been hacked and compromised. Researchers believe the organization behind this new campaign is the group named TA551, sometimes referred to as Shathak - a threat actor operating out of an undetermined location.
Malware within fake but believable spam mail
The malware-propagating spam campaign uses e-mails that have attachments in the form of Microsoft Word files. The setup is predictable - the malicious Word file attachments ask the user to allow macros and if macro execution permissions are granted, the infection chain is started. The malicious macros download the IcedID infostealer and installs it on the victim's system.
To make the malicious e-mails as convincing as possible, the bad actors use e-mails from previously compromised clients and attach the Word document in a password-protected archive. The archive is named after the organization or company whose e-mail is being spoofed and there is a brief additional instruction to use the supplied password to open the archive.
In the past, TA551 have primarily targeted English-speaking demographics, but their attacks have expanded to target countries and populations speaking Italian, German and Japanese as well. The infection vector has changed as well.
While previously TA551 used the Valak malware as the downloader for IcedID, they have moved to using malicious macros in Microsoft Office files, as is the case with this most recent campaign.
Researchers expect TA551 to keep improving their methods and come up with new ways to spread the infostealer and make further advancements in their ongoing effort to avoid detection.