2020-12-03 - TA551 (SHATHAK) WORD DOCS WITH ITALIAN TEMPLATE SEND URSNIF WITH PUSHDO

ASSOCIATED FILES

• 2020-12-03-IOCs-for-TA551-activity.txt.zip   5.8 kB   (5,839 bytes)
• 2020-12-03-TA551-Italian-malspam-5-examples.zip   755 kB   (754,907 bytes)
• 2020-12-03-TA551-Italian-Word-docs-32-examples.zip   3.6 MB   (3,603,140 bytes)
• 2020-12-03-TA551-installer-DLL-for-Ursnif-14-examples.zip   3.0 MB   (2,966,961 bytes)
• 2020-12-03-TA551-sends-Ursnif-with-pushdo.pcap.zip   7.8 MB   (7,823,141 bytes)
• 2020-12-03-TA551-artifacts-from-infected-host.zip   3.4 MB   (3,358,882 bytes)

NOTES:

• All zip archives on this site are password-protected with the standard password.  If you don't know it, see the "about" page of this website.

 

IMAGES

Shown above:  One of the items of malspam from TA551 on 2020-12-03.

 

Shown above:  Screenshot from the extracted Word doc.

 

Shown above:  HTTP request for the installer DLL for Ursnif.

 

Shown above:  Notifications that popped up during the infection.

 

Shown above:  Traffic from an infection filtered in Wireshark (request for followup Pushdo malware marked with arrow).

 

Shown above:  Some some of the Pushdo traffic (also includes the HTTP POST requests from previous image.

 

Shown above:  HTTP request that resulted in another follow-up malware EXE on my infected host.

 

Shown above:  Registry updates caused by Ursnif.

 

Shown above:  Follow-up malware on an infected host.

 

Shown above:  Example of registry updates caused by Pushdo.

 

Shown above:  Registry updates that keep Ursnif and Pushdo persistent after a reboot.

 

Click here to return to the main page.