TA551 email spam attacks are devious and very difficult to detect. Only in-depth analysis of the emails plus enhanced AV software has been able to defeat them.

Key Points:

  • Like a chameleon, a TA551 attack blends in with its surroundings, making it extremely difficult to spot without advanced analytics.
  • The malware-laden emails use a variety of techniques, such as stolen content and SMTP credentials, to appear legitimate and deceive their intended victims.
  • Mimecast’s threat researchers have closely analyzed the threat (see the recent whitepaper TA551/Shathak Threat Research for more details) and have developed a two-pronged strategy to defeat it.

The ongoing wave of TA551 email spam attacks — also known as the Shathak threat campaign — has posed some particularly nasty challenges for email security providers.

TA551 is an email-based malware distribution scheme that targets English speakers in particular, but also those who speak Japanese, Italian, German and some other languages. First observed in late 2019, a TA551 attack seeks to implant multiple types of malware, including Ursnif, IcedID and Valak. These are trojans and malware loaders used to extract banking information, and much of the TA551 perpetrators’ activity is concentrated in the financial sector.

Typical of these types of campaigns, the threat level dropped somewhat in January as business activity declined at the start of the new year. Throughout December, the Mimecast Threat Center was detecting between 2,000 and 7,000 emails a day that matched the characteristics associated with TA551 incursions. While the attackers’ identity and the full extent of their motives is unknown, the sharply focused and consistent nature of the spoofing appears to be the work of professional spammers that no doubt have extensive resources at their disposal.

Why the TA551 Threat Is So Insidious

What makes this email spam campaign so insidious is the chameleon-like nature of the threat. No two attacks are identical and the emails are assembled out of stolen content, making them appear both relevant and legitimate to their intended victims.

Here’s how it works:

  • An email with a Zip file attachment is sent out by the spammers. The file consists of an MS Word document, or something similar, and is infected with malware in the form of macros. Once opened by the recipient, the macros execute and infect the user’s device.
  • The Zip files are password protected, which makes it much more difficult to scan them using antivirus software. The passwords are randomized and differ from email to email.

The recipient receives the password in the body of the email. Here’s a real-life example of how one reads: “Hello. Here’s the important information for you. See the attachment to the email. Password 1636721.”

  • Many of the attached files are named after the target company. So, for example, for XYZ Co., the filename would be “XYZ.zip.” This makes the email appear more credible to the receiver.
  • The spammers use stolen SMTP credentials to send the email, so it appears to come from a legitimate source. This also makes detection based on infrastructure parameters quite difficult since all the emails appear to be coming from legitimate providers.
  • Given the vast resources that appear to be at their disposal, the perpetrators never have to reuse anything — which would make the emails easier to spot. They appear to have the capacity to continually use a new set of credentials, a new email address, new content and so forth.
  • The emails are context-aware. Their subject lines, content and that of the attached files all correspond with the recipient’s company, job function and professional contacts. They may also reference recent projects in which the intended victim is involved.

When you add all this up — the use of compromised credentials; the piggy-backing off the names and credibility of the target companies; the context-aware emails that are assembled out of stolen information — it becomes clear why the employees at so many companies have been duped into opening these malware-laden attachments. There is nothing about the emails or their contents to alert the recipient that something is amiss, making it very easy to fall into the spammers’ trap.

Mimecast’s Strategy to Defeat TA551

Mimecast’s threat researchers have now closely analyzed the TA551 campaign (for a deeper dive into what we found please see our recent whitepaper, TA551/Shathak Threat Research) and have developed a two-pronged strategy to defeat it using a combination of detection techniques at our anti-virus and anti-spam layers.

The Bottom Line

TA551/Shathak is an insidious email-based spam campaign to compromise corporate networks. The emails and their malware-laden attachments can withstand close inspection and are exceedingly difficult to spot. In response, Mimecast has closely analyzed this threat, which has allowed us to develop antivirus software and advanced detection capabilities that are able to defeat it.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

How to Slam a Door on the Cutwail Botnet: Enforce DMARC

DMARC can help protect brands from email…

DMARC can help protect brands from email domain spoofing. Th… Read More >

Matthew Gardiner

by Matthew Gardiner

Principal Security Strategist

Posted Jan 05, 2021

Improving Threat Detection Through Integration

The value of cybersecurity tools can be …

The value of cybersecurity tools can be greater than the sum… Read More >

Megan Doyle

by Megan Doyle

Contributing Writer

Posted Dec 17, 2020

FireEye Attack Raises the Bar on Cyber Resilience for Everyone

Threat actors steal ‘white hat&rsq…

Threat actors steal ‘white hat’ tools, but FireE… Read More >

Mike Azzara

by Mike Azzara

Contributing Writer

Posted Dec 10, 2020