ATK236

Presumed Origin: < Back

Alias: GOLD CABIN, Shathak, TA551

ATK236 (aka: TA551, GOLD CABIN, Shathak) is a financially-motivated threat group that has been active since at least 2018 that uses large-scale phishing campaigns to deliver additional malware payloads. IcedID and Valak were the predominant payloads we observed with TA551 phishing campaigns in 2020.

 

The group has distributed different malware families over time, but consistently used password-protected ZIP archives containing macro-enabled Office documents.

 

The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns.

 

In September 2021, the group was observed pushing Trickbot to the infected hosts, which, in turns, delivered DarkVNC and Cobalt Strike beacons.

 

 

Références:

REFERENCES

Target sector

Target countries

  • Germany
  • Japan
  • Italy

Attack pattern

  • T1001 - Data Obfuscation
  • T1005 - Data from Local System
  • T1016 - System Network Configuration Discovery
  • T1022 - Data Encrypted
  • T1027 - Obfuscated Files or Information
  • T1027.003 - Steganography
  • T1036 - Masquerading
  • T1055 - Process Injection
  • T1057 - Process Discovery
  • T1059.003 - Windows Command Shell
  • T1071.001 - Web Protocols
  • T1090 - Connection Proxy
  • T1093 - Process Hollowing
  • T1105 - Ingress Tool Transfer
  • T1112 - Modify Registry
  • T1119 - Automated Collection
  • T1132.001 - Standard Encoding
  • T1145 - Private Keys
  • T1185 - Man in the Browser
  • T1204 - User Execution
  • T1204.002 - Malicious File
  • T1218.005 - Mshta
  • T1218.010 - Regsvr32
  • T1218.011 - Rundll32
  • T1497 - Virtualization/Sandbox Evasion
  • T1555.004 - Windows Credential Manager
  • T1566.001 - Spearphishing Attachment
  • T1568.002 - Domain Generation Algorithms
  • T1589.002 - Email Addresses

Motivation

  • Financial Gain

Malwares

  • Gozi-Isfb
  • IcedID
  • QakBot
  • Ursnif
  • Valak

Vulnerabilities