2021-06-18 (FRIDAY) - TA551 (SHATHAK) ENGLISH-TEMPLATE WORD DOCS PUSH GOZI/ISFB/URSNIF

ASSOCIATED FILES:

• 2021-06-18-TA551-IOCs-for-Gozi-ISFB-Urnsif.txt.zip   4.0 kB   (4,038 bytes)
• 2021-06-18-TA551-malspam-2-examples.zip   106 kB   (105,870 bytes)
• 2021-06-18-TA551-Gozi-ISFB-Ursnif-infection-traffic.pcap.zip   8.2 MB   (8,214,662 bytes)
• 2021-06-18-TA551-Gozi-ISFB-Ursnif-malware.zip   3.8 MB   (3,755,858 bytes)

NOTES:

• All zip archives on this site are password-protected.  If you don't know the password, see the "about" page of this website.

• As recently as Tuesday 2021-06-08, TA551 (Shathak) was pushing IcedID (Bokbot) using English-template Word docs.
• However, since Thursday 2021-06-10, TA551 has been pushing Gozi/ISFB/Ursnif using the same type of English-template Word docs.  I have not seen IcedID from TA551 since then.

 

IMAGES

Shown above:  Traffic from an infection filtered in Wireshark.

 

Click here to return to the main page.