🇷🇺

TA571

APT Group 5 zero-day CVEs ETDA ✓

Also Known As

No alias recorded

Target Countries 1

Countries highlighted in red

United States

Sectors Targeted

Motor Vehicle Manufacturing 3361 Finance and Insurance 52 Utilities 22 Health Care and Social Assistance 62 Accommodation and Food Services 72

Details

Origin 🇷🇺 RU

Last Updated 21 Jun 2024

MITRE ATT&CK 49

T1003 - OS Credential Dumping T1018 T1027 - Obfuscated Files or Information T1027.003 T1027.010 T1028 - Windows Remote Management T1036 T1045 - Software Packing T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1055 - Process Injection T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 T1060 - Registry Run Keys / Startup Folder T1069 - Permission Groups Discovery T1071 - Application Layer Protocol T1071.001 - Web Protocols T1082 - System Information Discovery T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1113 - Screen Capture T1115 - Clipboard Data T1119 - Automated Collection T1129 - Shared Modules T1132 T1132.001 T1143 - Hidden Window T1193 - Spearphishing Attachment T1204 T1204.002 - Malicious File T1218 T1218.005 T1218.010 T1218.011 T1457 - Malicious Media Content T1480 - Execution Guardrails T1486 - Data Encrypted for Impact T1553 - Subvert Trust Controls T1557.002 - ARP Cache Poisoning T1566 - Phishing T1566.001 T1566.002 - Spearphishing Link T1568 T1568.002 T1574 - Hijack Execution Flow T1589 T1589.002

Related Zero-Days 5

CVE-2023-36025 CVE-2024-21412 CVE-2024-29988 CVE-2024-38112 CVE-2024-43461

Known Names 5 entries

TA551 Proofpoint

Gold Cabin SecureWorks

Shathak ?

Monster Libra Palo Alto

G0127 MITRE

Description

(Palo Alto) TA551 (also known as Shathak) is an email-based malware distribution campaign that often targets English-speaking victims. The campaign discussed in this blog has targeted German, Italian and Japanese speakers. TA551 has historically pushed different families of information-stealing malware like Ursnif and Valak. After mid-July 2020, this campaign has exclusively pushed IcedID malware, another information stealer.

Tools Used 4

BokBot Gozi Sliver Valak

Operations 2

2021-10 TA551 Uses ‘SLIVER’ Red Team Tool in New Activity https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity

2021-01 From IcedID to Domain Compromise https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise

Reports & References 3

https://unit42.paloaltonetworks.com/ta551-shathak-icedid/ https://unit42.paloaltonetworks.com/valak-evolution/ https://github.com/pan-unit42/iocs/tree/master/TA551

ETDA Profile

TA551, Shathak

Origin

Russia

First Seen 2016

Motivation

Financial gain

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0127/

View on ETDA APT Groups ↗