Malware-Traffic-Analysis.net - 2021-06-18 (Friday) - TA551 (Shathak) English-template Word docs push Gozi/ISFB/Ursnif

2021-06-18 (FRIDAY) - TA551 (SHATHAK) ENGLISH-TEMPLATE WORD DOCS PUSH GOZI/ISFB/URSNIF

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2021-06-18-TA551-IOCs-for-Gozi-ISFB-Urnsif.txt.zip 4.0 kB (4,038 bytes)
2021-06-18-TA551-malspam-2-examples.zip 106 kB (106,214 bytes)
2021-06-18-TA551-Gozi-ISFB-Ursnif-infection-traffic.pcap.zip 8.2 MB (8,214,662 bytes)
2021-06-18-TA551-Gozi-ISFB-Ursnif-malware.zip 3.8 MB (3,758,086 bytes)

NOTES:

As recently as Tuesday 2021-06-08, TA551 (Shathak) was pushing IcedID (Bokbot) using English-template Word docs.
However, since Thursday 2021-06-10, TA551 has been pushing Gozi/ISFB/Ursnif using the same type of English-template Word docs. I have not seen IcedID from TA551 since then.

IMAGES

Shown above: Traffic from an infection filtered in Wireshark.

Click here to return to the main page.