An email-based malware distribution campaign has been attempting to disguise spam as an email chain and launch a spoofing attack. TA551 also known as Shathak, the infamous group that spreads malware like Ursnif and Valak is behind this operation. The group is misusing genuine messages taken from email clients on previously compromised hosts to run the operation.
This campaign often targets English speakers to spread Ursnif, Valak, and other information-stealing malware. However, since mid-July 2020, this campaign has exclusively been spreading IcedID, another info-stealer malware. And as of now, the campaign has also started targeting German, Italian and Japanese speakers.
The group sends out spoofed emails with an attached, password-protected ZIP archive that contains a Microsoft Word document. The message informs the user for a password to open the attachment.
On opening the Zip archive entering the password, the user finds a Microsoft Word document with macros. When the victim enables macros on an exposed Windows computer, the victim’s host downloads an installer DLL for IcedID malware.
TA551 Recent Changes
So far, TA551 has been following specific traffic patterns. However, it has changed as of now since October 2020. URLs generated by Word Macros follows a noticeable pattern such as:
- php?l= in the URL path
- URLs end with .cab
But since November 2020, experts have noticed some changes in the pattern in generating the URLs during IceID infection. The possible reason for the changes from the campaign can be an attempt to evade detection. The least, they can baffle the user conducting forensic analysis on an infected host.
How to Stop Email Spoofing?
When it comes to email spoofing, it can take many of the following forms:
Sender’s name spoofing
Hackers impersonate the identity or the sender’s name that the recipient might trust in order to trick the recipient. As a result, the recipient ends up into providing sensitive information or credentials.
Sender’s domain spoofing
Malicious actors fake the sender’s email address or the domain name that are legitimate and trusted by the recipient.
In this case, the malicious actors copy the sender’s name or domain which looks alike but differ with a character.
As an organization, you should implement certain cyber security protocols to protect your domain against cyber criminals. If your organization neglects in implementing the protocols, there is no check on the sender’s authentication and it is highly susceptible to spoofing attacks.
To prevent your email domain being used in spam and spread malicious links or attachment your organization should adopt the following approaches:
- Sender Policy Framework (SPF): An SPF record is added to the DNS records so that the recipient’s mail server can verify if the sender’s IP address matches and if it is authorized to send emails on behalf of the sender’s email domain.
- Domain Key Identified Mail (DKIM): A digital signature is added to the header field of every email that is sent out from your email domain. The receiving server verifies the unique signature to authenticate the email.
- Domain-based Authentication Reporting and Conformance (DMARC): Implementing DMARC provides you with the ability to know how many emails are sent out from your email domain and who sent the emails. It also gives you the information of the emails failed to deliver and the reason for the failure.
Effective and Reliable Email Spoofing Protection
There are several cyber security measures to protect your organization’s email domain and prevent malicious actors misusing the domain. But to secure your domain, the smart and easy solution for email spoofing is to implement KDMARC. This tool ensures that your email domain is safe against domain forgery.
KDMARC is a GCA certified email authentication protocol that monitors SPF, DKIM and DMARC to give your organization a compliance report. The report gives you detailed insights into the organization’s outbound emails.
It provides information on how many emails are flowing through the domain and how many are landing in the receiver’s inbox. And good news for a non-technical person, it is user friendly and easy to understand the report because it gives you a clear picture with a graph!
The tool lets you determine whether your domain’s outbound emails that fail DMARC authentication reach the recipient’s inbox, are redirected to spam, or bounced back. Hence, it also boosts the email engagement rates since your organization legitimate emails will be ending in the receiver’s inbox every time an email is sent.
Did you know that 92% of malware is delivered via email?
(source: Hosting Tribunal)
Malicious actors impersonating your email domain not only brings you loss in terms of money, but it also abuses your brand and harms the customer’s trust relying on your service. Therefore, it is crucial for an organization to secure the email domain and protect the brand and trust it had to build.