TA551 malspam campaign spoofs email chains to install IcedID info-stealer

TA551 malspam campaign spoofs email chains to install IcedID info-stealer

In a new phishing campaign, the offending emails arrive in inboxes with attached, password-protected zip archives containing Word documents. (Photo by Justin Sullivan/Getty Images)

A phishing campaign has been attempting to disguise spam as an email chain, using genuine messages taken from email clients on previously compromised hosts.


Cybercriminal group TA551, aka Shathak, is behind the operation, which is known to spread information-stealing malware such as Ursnif, Valak and IcedID, according to a blog post today from the Unit 42 threat research team at Palo Alto Networks.


The campaign typically targets English-speaking victims and dates back as far as Feb. 4, 2019. However, more recently it has expanded its targets to include German, Italian and Japanese speakers. In the past, the attackers sometimes would use Ursnif and Valak as downloaders to secondarily distribute IcedID, but since July 2020 it appears they have focused exclusively on IcedID, delivering it instead via malicious macros.


The offending emails arrive in inboxes with attached, password-protected zip archives containing Word documents. If the recipient opens the doc and enables the malicious macros within, the infection chain commences and the IcedID malware is installed.


“TA551 malspam spoofs legitimate email chains based on data retrieved from previously infected Windows hosts. It sends copies of these email chains to recipients of the original email chain,” Threat Intelligence Analyst Brad Duncan wrote in the blog. “The spoofed email includes a short message as the most recent item in the chain. This is a generic statement asking the recipient to open an attached ZIP archive using the suppli ..