Request a Demo
Rewterz
Rewterz Threat Alert – Zoom Phish Sent Via Constant Contact Mailer
January 28, 2021
Rewterz
Rewterz Threat Advisory – CVE-2020-125226 – Trend Micro ServerProtect for Linux denial of service
January 28, 2021

Rewterz Threat Alert – TA551 (Shathak) Pushing Qakbot

Severity

High

Analysis Summary

New samples of Word documents from TA551 (Shathak) have been detected pushing malware. This actor was active until December pushing IcedID malware before going on break for the holidays.  Now that it’s returned, TA551 has been pushing Qakbot (Qbot) malware instead of IcedID. Qakbot has been distributed in the wild since June 2020, followed by more campaigns in AugustSeptember and October. By mid December, 2020, Qakbot was persistent with its latest malspam campaigns. Current campaign is similar as the older ones, in its operational flow.  

2021-01-26-isc-diary-image-01a.jpg

Once the malicious file is downloaded and macros have been enabled, Qakbot is installed on the compromised system and begins its post-infection activity. 

2021-01-26-isc-diary-image-02a.jpg

The Qakbot-infected hosts start spamming more Qakbot, with a different affiliate/campaign ID for Qakbot samples. Because of this and its previous history pushing different families of malware, TA551 (Shathak) is believed to be a distributor for other criminals in the cyber threat landscape. The other criminals push malware (like the criminals behind Qakbot), while TA551 is specifically a distribution network.

Impact

  • Credential Theft
  • Unauthorized Access
  • Theft of banking information
  • Unauthorized Code Execution
  • Information theft

Indicators of Compromise

Domain Name

  • 5that6[.]com

MD5

  • 9a21b20bf0f722b2cd46058cbfad5571
  • fef0ec6a4d70fd419911740a4774215c
  • e54aa6017f53064aa6c231615e98ff95

SHA-256

  • 7d1bd0f1e6c73ead87681243ebfc1576158807ae4d3448d39b1ee35db265b753
  • 231b081480a80b05d69ed1d2e18ada8a1fd85ba6ce3e69cc8f630ede5ce5400e
  • 17cd3c11fba639c1fe987a79a1b998afe741636ac607254cc134eea02c63f658

SHA1

  • f359c45f331d5b159a1ae6ef80135f937bf32856
  • 5b189240383dd7fb414dedca0c2768be573e53d4
  • 1f3ad3e8ec787a4853cd18ea286d7fc671add9d2

URL

  • http[:]//5that6[.]com//assets/55ddb775/ce51025b12/9b75bbce/8a06fd47/6ac84e7424b0539286562b/xtuaq14?anz=125c5909&dlzwg=7aec167a5a2ab0&bu=a09f740
  • http[:]//5that6[.]com/

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in untrusted emails.
  • Do not enable macros for files downloaded from untrusted sources.