HP Threat Research Blog Detecting TA551 domains

July 30, 2021 Category: Threat Research By: Patrick Schläpfer Comments: 0

Detecting TA551 domains

Executive Summary

  • TA551 are an active threat group known for distributing high volumes of malicious spam (malspam) that deliver different families of malware.
  • Using a TA551 campaign delivering Ursnif as an example, we describe a typical infection chain, and explore potential detection opportunities, such as monitoring process chains or file masquerading.
  • We propose a different detection method based on identifying patterns in the domains registered TA551 domains, and share our evaluation of over 500 TA551 domains from the last year.
  • Our domain detection method identified 207 potential newly-registered TA551 domains over a four month period.

Who are TA551?

TA551, also known as Shathak, is a threat group responsible for distributing high volumes of malspam. Their emails contain password-protected ZIP attachments, with the password inside the body of the email. Each archive contains a Word document, which runs a malicious Visual Basic for Applications (VBA) AutoOpen macro. The macro initiates a web download, which saves and runs a designated malware payload.

Since the beginning of 2019, TA551 have been observed distributing malware families including Ursnif, Valak, IcedID, and Qakbot. Additional information about how these families are distributed have been documented extensively by Palo Alto Networks. TA551 are very active, running several campaigns with new download domains practically every week. Figure 1 shows the dates in second half of 2020 when new download domains were registered, each of which roughly corresponds to one malspam campaign.