2021-02-25 - TA551 (SHATHAK) BACK TO PUSHING ICEDID (BOKBOT)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2021-02-25-IOCs-for-IcedID-from-TA551.txt.zip   3.6 kB   (3,622 bytes)
• 2021-02-25-TA551-IcedID-infection-traffic.pcap.zip   8.0 MB   (7,979,570 bytes)
• 2021-02-25-Word-docs-and-installer-DLL-files.zip   15.4 MB   (15,384,643 bytes)
• 2021-02-25-malware-and-artifacts-from-an-infection.zip   9.4 MB   (9,416,155 bytes)

NOTES:

• From 2021-01-22 through at least 2021-02-05, the TA551 (Shathak) campaign was pushing Qakbot (Qbot) malware.  Today it returned to pushing IcedID (Bokbot).

 

IMAGES

 

Shown above:  Exeample from one of the Word documents seen today.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Click here to return to the main page.