<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <link rel="preconnect" href="https://www.paloaltonetworks.com"> <link rel="preconnect" href="https://cdn.cookielaw.org"> <link rel="preconnect" href="https://fonts.googleapis.com"> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> var main_site_url = 'https://www.paloaltonetworks.com'; var maindomain_lang = 'https://www.paloaltonetworks.com'; function getParameterByName(name, url) { if(url == null){ url = window.location.href; } name = name.replace(/[\[\]]/g, '\\$&'); var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'), results = regex.exec(url); if (!results) return null; if (!results[2]) return ''; return decodeURIComponent(results[2].replace(/\+/g, ' ')); } var container_q = getParameterByName('container'); var d_lang = 'en'; </script> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css"></noscript> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' /> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <link rel="alternate" hreflang="en" href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/" /> <link rel="alternate" hreflang="ja" href="https://unit42.paloaltonetworks.jp/ta551-shathak-icedid/" /> <link rel="alternate" hreflang="x-default" href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/" /> <!-- This site is optimized with the Yoast SEO Premium plugin v24.2 (Yoast SEO v24.2) - https://yoast.com/wordpress/plugins/seo/ --> <title>TA551: Email Attack Campaign Switches from Valak to IcedID</title> <meta name="description" content="We continue to monitor the email attack campaign TA551, AKA Shathak, which has recently pushed IcedID, a family of information-stealing malware." /> <link rel="canonical" href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="TA551: Email Attack Campaign Switches from Valak to IcedID" /> <meta property="og:description" content="We continue to monitor the email attack campaign TA551, AKA Shathak, which has recently pushed IcedID, a family of information-stealing malware." /> <meta property="og:url" content="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/" /> <meta property="og:site_name" content="Unit 42" /> <meta property="article:published_time" content="2021-01-07T08:01:15+00:00" /> <meta property="article:modified_time" content="2024-06-06T14:11:24+00:00" /> <meta property="og:image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/10_Business_email_compromise_Category_1920x900.jpg" /> <meta property="og:image:width" content="1920" /> <meta property="og:image:height" content="900" /> <meta property="og:image:type" content="image/jpeg" /> <meta name="author" content="Brad Duncan" /> <meta name="twitter:card" content="summary_large_image" /> <!-- / Yoast SEO Premium plugin. --> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Feed" href="https://unit42.paloaltonetworks.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Comments Feed" href="https://unit42.paloaltonetworks.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; TA551: Email Attack Campaign Switches from Valak to IcedID Comments Feed" href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/feed/" /> <script type="text/javascript"> var globalConfig = {}; var webData = {}; webData.channel = "unit42"; webData.property = "unit42.paloaltonetworks.com"; webData.language = "en_us"; webData.pageType = "blogs"; webData.pageName = "unit42:ta551-shathak-icedid"; webData.pageURL = "https://unit42.paloaltonetworks.com/ta551-shathak-icedid"; webData.article_title = "TA551: Email Attack Campaign Switches from Valak to IcedID"; webData.author = "Brad Duncan"; webData.published_time = "2021-01-07T00:01:15-08:00"; webData.description = "We continue to monitor the email attack campaign TA551, AKA Shathak, which has recently pushed IcedID, a family of information-stealing malware."; webData.keywords = "Malware,Threat Research,IcedID,Shathak,TA551,Ursnif,Valak"; webData.resourceAssetID = "e13b1c29fbdd0c64810420acb69d9083"; </script> <script type="text/javascript"> var globalConfig = {}; globalConfig.buildName = "UniqueResourceAssetsID_DEC022022"; </script> <meta property="og:likes" content="29"/> <meta property="og:readtime" content="9"/> <meta property="og:views" content="56,476"/> <meta property="og:date_created" content="January 7, 2021 at 12:01 AM"/> <meta property="og:post_length" content="2359"/> <meta property="og:category" content="Malware"/> <meta property="og:category" content="Threat Research"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/malware/"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/threat-research/"/> <meta property="og:author" content="Brad Duncan"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/bduncan/"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2017/09/Duncan-bio-picture-1-copy-150x150.jpg"/> <meta name="post_tags" content="IcedID,Shathak,TA551,Ursnif,Valak"/> <meta property="og:post_image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/Malicious-email-r3d2.png"/> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"BlogPosting","headline":"TA551: Email Attack Campaign Switches from Valak to IcedID","name":"TA551: Email Attack Campaign Switches from Valak to IcedID","description":"We continue to monitor the email attack campaign TA551, AKA Shathak, which has recently pushed IcedID, a family of information-stealing malware.","url":"https:\/\/unit42.paloaltonetworks.com\/ta551-shathak-icedid\/","mainEntityOfPage":"https:\/\/unit42.paloaltonetworks.com\/ta551-shathak-icedid\/","datePublished":"January 7, 2021","articleBody":"Executive Summary\r\nTA551 (also known as Shathak) is an email-based malware distribution campaign that often targets English-speaking victims. The campaign discussed in this blog has targeted German, Italian and Japanese speakers. TA551 has historically pushed different families of information-stealing malware like Ursnif and Valak. After mid-July 2020, this campaign has exclusively pushed IcedID malware, another information stealer.\r\n\r\nThis blog provides an overview of TA551, as well as previous activity from this campaign. We also examine changes from this campaign since our previous blog about TA551 pushing Valak in July 2020.\r\n\r\nPalo Alto Networks Next-Generation Firewall customers are protected from this threat with the Threat Prevention security subscription, which detects the malware. AutoFocus customers can track this activity using the TA551 and IcedID tags.\r\nInfection Chain of Events\r\nFrom mid-July through November 2020, TA551 has remained consistent in its infection process. A flow chart for the chain of events is shown in Figure 1.\r\n\r\n[caption id=\"attachment_116612\" align=\"aligncenter\" width=\"900\"] Figure 1. Chain of events for TA551 (Shathak) from July through November 2020.[\/caption]\r\n\r\nThe initial lure is an email spoofing an email chain. These email chains are retrieved from email clients on previously infected hosts. The message has an attached ZIP archive and a message informing the user of a password necessary to open the attachment.\r\n\r\nAfter opening the ZIP archive, the victim finds a Microsoft Word document with macros. If the victim enables macros on a vulnerable Windows computer, the victim\u2019s host retrieves an installer DLL for IcedID malware. This will infect a vulnerable Windows computer. See FIgures 2-7 for a recent example targeting a Japanese-speaking victim.\r\n\r\n[caption id=\"attachment_116614\" align=\"aligncenter\" width=\"900\"] Figure 2. An example of TA551 email targeting a Japanese-speaking victim on Nov. 4, 2020.[\/caption]\r\n\r\n[caption id=\"attachment_116616\" align=\"aligncenter\" width=\"900\"] Figure 3. Using password from the message to open the ZIP archive.[\/caption]\r\n\r\n[caption id=\"attachment_116618\" align=\"aligncenter\" width=\"900\"] Figure 4. Screenshot of Word document from the ZIP archive.[\/caption]\r\n\r\n[caption id=\"attachment_116620\" align=\"aligncenter\" width=\"900\"] Figure 5. Traffic from an infection filtered in Wireshark.[\/caption]\r\n\r\n[caption id=\"attachment_116622\" align=\"alignnone\" width=\"900\"] Figure 6. Files and directories created during the infection process on a Windows host.[\/caption]\r\n\r\n[caption id=\"attachment_116624\" align=\"aligncenter\" width=\"900\"] Figure 7. Scheduled task to keep the IcedID infection persistent on an infected Windows host.[\/caption]\r\nTA551 Switches to IcedID\r\nWe have a GitHub repository where we track recent TA551 activity. The repository contains information on each wave of attack from TA551 since July 6, 2020. Starting on July 14, 2020, we have only seen IcedID malware from these waves of attack.\r\n\r\nSince July 14, 2020, these waves of malspam consistently targeted English-speaking victims until Oct. 27, 2020, when we started seeing Japanese templates for the Word documents. TA551 consistently targeted Japanese-speaking victims from Oct. 27-Nov. 20, 2020. After approximately three weeks of Japanese-focused attacks, TA551 switched back to English-speaking victims starting on Nov. 24, 2020.\r\n\r\nRegardless of the targeted group, TA551 continues to push IcedID as its malware payload.\r\nHistory of TA551\r\nWe have traced TA551 as far back as February 2019, and since that time, we have noted the following characteristics:\r\n\r\n \tTA551 has distributed different families of malware, including Ursnif (Gozi\/ISFB), Valak and IcedID.\r\n \tTA551 malspam spoofs legitimate email chains based on data retrieved from previously infected Windows hosts. It sends copies of these email chains to recipients of the original email chain.\r\n \tThe spoofed email includes a short message as the most recent item in the chain. This is a generic statement asking the recipient to open an attached ZIP archive using the supplied password.\r\n \tFile names for the ZIP archives use the name of the company being spoofed in the email. For example, if the spoofed sender is someone@companyname.com, the ZIP attachment would be named companyname.zip.\r\n \tIn 2020, we also started seeing emails with info.zip or request.zip as the attached ZIP archive names.\r\n \tThese password-protected ZIP attachments contain a Word document with macros to install malware.\r\n \tFile names for the extracted Word documents follow noticeable patterns that have evolved as this campaign has progressed.\r\n \tURLs generated by the associated Word macros also follow noticeable patterns that have also evolved as this campaign has progressed.\r\n\r\nTA551 in 2019\r\nFigure 8 shows the earliest email we can confirm from this campaign, dated Feb. 4, 2019. It targeted an English-speaking recipient and pushed Ursnif malware.\r\n\r\n[caption id=\"attachment_116626\" align=\"aligncenter\" width=\"900\"] Figure 8. Example of TA551 malspam from February 2019.[\/caption]\r\n\r\nThe following files are associated with the above example:\r\n\r\n \tSHA256 hash: 3dab8a906b30e1371b9aab1895cd5aef75294b747b7291d5c308bb19fbc5db10\r\n \tFile size: 157,696 bytes\r\n \tFile name: Request11.doc\r\n \tFile description: Word doc with macro for Ursnif (Gozi\/ISFB)\r\n \tSHA256 hash: 3afc28d4613e359b2f996b91eeb0bbe1a57c7f42d2d4b18e4bb6aa963f58e3ff\r\n \tFile size: 284,160 bytes\r\n \tFile location: hxxp:\/\/gou20lclair[.]band\/xap_102b-AZ1\/704e.php?l=zyteb12.gas\r\n\r\nFile description: Example of Windows EXE retrieved by Word macro \u2013 an installer for Ursnif\r\n\r\nFigure 9 shows an email from this campaign dated April 2, 2019. It targeted an Italian-speaking recipient and pushed Ursnif malware.\r\n\r\n[caption id=\"attachment_116628\" align=\"aligncenter\" width=\"900\"] Figure 9. Example of TA551 malspam from April 2019.[\/caption]\r\n\r\nThe following files are associated with the above example:\r\n\r\n \tSHA256 hash: 582213137bebc93192b0429f6687c859f007ef03e6a4c620eada8d98ca5d76ba\r\n \tFile size: 91,136 bytes\r\n \tFile name: doc_02.04.doc\r\n \tFile description: Word doc with macro for Ursnif\r\n \tSHA256 hash: 8c72d5e5cb81f7a7c2b4881aff3be62cdc09caa52f93f9403166af74891c256e\r\n \tFile size: 606,208 bytes\r\n \tFile location: hxxp:\/\/seauj35ywsg[.]com\/2poef1\/j.php?l=zepax4.fgs\r\n \tFile description: Example of Windows EXE to install Ursnif retrieved by a macro associated with this wave of Word documents\r\n\r\nFigure 10 shows an email from this campaign dated Oct. 30, 2019. It targeted a German-speaking recipient and pushed Ursnif malware.\r\n\r\n[caption id=\"attachment_116630\" align=\"aligncenter\" width=\"900\"] Figure 10. Example of TA551 malspam from October 2019.[\/caption]\r\n\r\nThe following files are associated with the above example:\r\n\r\n \tSHA256 hash: 10ed909ab789f2a83e4c6590da64a6bdeb245ec9189d038a8887df0dae46df2a\r\n \tFile size: 269,312 bytes\r\n \tFile name: info_10_30.doc\r\n \tFile description: Word doc with macro for Ursnif\r\n \tSHA256 hash: 9e5008090eaf25c0fe58e220e7a1276e5501279da4bb782f92c90f465f4838cc\r\n \tFile size: 300,032 bytes\r\n \tFile location: hxxp:\/\/onialisati[.]com\/deamie\/ovidel.php?l=brelry2.cab\r\n \tFile description: Example of Windows EXE retrieved by Word macro \u2013 an installer for Ursnif\r\n\r\nNote how the URL from the above example ends in .cab. This pattern was fairly consistent for URLs generated by macros from TA551 Word docs until late October 2020.\r\n\r\nFigure 11 shows an email from this campaign dated Dec. 17, 2019. It targeted a Japanese-speaking recipient and pushed Ursnif malware.\r\n\r\n[caption id=\"attachment_116632\" align=\"aligncenter\" width=\"900\"] Figure 11. Example of TA551 malspam from December 2019.[\/caption]\r\n\r\nThe following files are associated with the above example:\r\n\r\n \tSHA256 hash: 3b28f3b1b589c9a92940999000aa4a01048f2370d03c4da0045aabf61f9e4bb6\r\n \tFile size: 101,528 bytes\r\n \tFile name: info_12_18.doc\r\n \tFile description: Word doc with macro for Ursnif\r\n \tSHA256 hash: 3a22d206858773b45b56fc53bed5ee4bb8982bb1147aad9c2a7c57ef6c099512\r\n \tFile size: 1,650,176 bytes\r\n \tFile location: hxxp:\/\/vestcheasy[.]com\/koorsh\/soogar.php?l=weecum5.cab\r\n \tFile description: Example of Windows EXE retrieved by Word macro \u2013 an installer for Ursnif\r\n\r\nNote that Ursnif-infected hosts occasionally retrieve follow-up malware. For example, on Dec. 19, 2019, a Windows host infected with Ursnif by way of TA551 was also infected with IcedID and Valak as follow-up malware.\r\nTA551 in 2020\r\nFigure 12 shows an email from TA551 dated March 26, 2020. It targeted a German-speaking recipient and pushed ZLoader (Silent Night) malware.\r\n\r\n[caption id=\"attachment_116634\" align=\"aligncenter\" width=\"900\"] Figure 12. Example of TA551 malspam from March 2020.[\/caption]\r\n\r\nThe following files are associated with the above example:\r\n\r\n \tSHA256 hash: 62ecc8950e8be104e250304fdc32748fcadaeaa677f7c066be1baa17f940eda8\r\n \tFile size: 127,757 bytes\r\n \tFile name: information_03.26.doc\r\n \tFile description: Word doc with macro for ZLoader (Silent Night)\r\n \tSHA256 hash: 9b281a8220a6098fefe1abd6de4fc126fddfa4f08ed1b90d15c9e0514d77e166\r\n \tFile size: 486,400 bytes\r\n \tFile location: hxxp:\/\/x0fopmxsq5y2oqud[.]com\/kundru\/targen.php?l=swep7.cab\r\n \tFile description: Windows DLL for ZLoader retrieved by Word macro\r\n\r\nFigure 13 shows an email from this campaign dated April 28, 2020. It targeted an English-speaking recipient and pushed Valak malware.\r\n\r\n[caption id=\"attachment_116636\" align=\"aligncenter\" width=\"900\"] Figure 13. Example of TA551 malspam from April 2020.[\/caption]\r\n\r\nThe following files are associated with the above example:\r\n\r\n \tSHA256 hash: bd58160966981dd4b04af8530e3320edbddfc2b83a82b47a76f347d0fb4ca93a\r\n \tFile size: 61,233 bytes\r\n \tFile name: docs,04.20.doc\r\n \tFile description: Word doc with macro for Valak\r\n \tSHA256 hash: 9ce4835ef1842b7407b3c8777a6495ceb1b69dac0c13f7059c2fec1b2c209cb1\r\n \tFile size: 418,816 bytes\r\n \tFile location: hxxp:\/\/qut6oga5219bf00e[.]com\/we20lo85\/aio0i32p.php?l=nok4.cab\r\n \tFile description: Example of Windows DLL retrieved by Word macro -- an installer for Valak\r\n\r\nAt this point, the document names had changed format. This is when we started seeing several different names for the extracted Word documents from each day of attack.\r\n\r\nFigure 14 shows an email from this campaign dated May 22, 2020. It targeted an English-speaking recipient and pushed Valak malware.\r\n\r\n[caption id=\"attachment_116638\" align=\"aligncenter\" width=\"900\"] Figure 14. Example of TA551 malspam from May 2020.[\/caption]\r\n\r\nThe following files are associated with the above example:\r\n\r\n \tSHA256 hash: 3562023ab563fc12d17981a1328f22a3d3e4c358535b9a0c28173a6e4ad869ba\r\n \tFile size: 74,338 bytes\r\n \tFile name: file_05.20.doc\r\n \tFile description: Word doc with macro for Valak\r\n \tSHA256 hash: 4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a\r\n \tFile size: 184,832 bytes\r\n \tFile location: hxxp:\/\/s6oo5atdgmtceep8on[.]com\/urvave\/cennc.php?l=haao1.cab\r\n \tFile description: Example of Windows DLL retrieved by Word macro -- an installer for Valak\r\n\r\nBy this time, the password format for ZIP attachments changed to three digits followed by two letters, and the template style had also been updated.\r\n\r\nWe continued to see Valak pushed by TA551 through early July 2020. Of note, Valak is a malware downloader, and we frequently saw IcedID as follow-up malware from these infections.\r\n\r\nHowever, by mid-July 2020, TA551 started pushing IcedID directly from the Word document macros.\r\nRecent Developments\r\nIn recent weeks, TA551 has changed traffic patterns. For several months prior to Oct. 19, 2020, URLs generated by Word macros to retrieve installer binaries followed a noticeable pattern. This pattern includes:\r\n\r\n \t.php?l= in the URL path\r\n \tURLs end with .cab\r\n\r\nSince Oct. 20, 2020, these patterns have changed dramatically. Table 1 shows the changes starting in October.\r\n\r\n&nbsp;\r\n\r\n\r\n\r\nDate\r\nURL example\r\n\r\n\r\n2020-10-14\r\nGET \/docat\/hyra.php?l=dybe18.cab\r\n\r\n\r\n2020-10-16\r\nGET \/muty\/sohaq.php?l=tali18.cab\r\n\r\n\r\n2020-10-19\r\nGET \/biwe_zibofyra\/ripy_lani.php?l=qedux18.cab\r\n\r\n\r\n2020-10-20\r\nGET \/_bxlzcpjlmpxlkzblf_zhlsplspz\/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon4.ppt&amp;lhe=hcqjvtfezhsogtrdxdfs\r\n\r\n\r\n2020-10-27\r\nGET \/update\/qqOQccpolFmwCmTnTmURcfZPByI_lqzPNvPfTfvLQjqdJtpOYeWT\/WRFlVYjJTKqWAf_KhCjsSselY\/tbqxj12\r\n\r\n\r\n2020-10-28\r\nGET \/update\/djMqKxc_BZCF_BJlRmjKmdcihghiSj\/wJuzcnBhc\/MD\/qE_ZWFKbwfWZMCCWgfHU_DNxAcBRlHncRHr\/csyj9\r\n\r\n\r\n2020-10-29\r\nGET \/update\/XTZrbyvClXzcfZcJGZSmDWBthSBXjRKw\/chti6\r\n\r\n\r\n2020-11-03\r\nGET \/update\/VvZWoYOIotoWV_KUywQtEUVUPjvNYMYYnLnvWWOLA\/fZcXYRwGyzMRZcvzHZrDe\/gzlov4\r\n\r\n\r\n2020-11-04\r\nGET \/update\/JvYqBVMJCxSDX\/nNBk\/XhEfjPMvaV_dDFlXqGZNCDTLhTXlPWxEsGjTdzfQBUZCvkBqWOgjo\/xrei12\r\n\r\n\r\n2020-11-05\r\nGET \/update\/jcja\/yCGHnwRmyMVTeCqljgln\/JTHBIgVESrNVdrgJMGGNdiqqGxCNACjXDBjkMJKFPKvJNYXFVbcxYvbS\/iuyala13\r\n\r\n\r\n2020-11-19\r\nGET \/share\/ZSzE0sjR23GkF3VwZi_nqFH2B5lqPUVKxwNC\/ahtap3\r\n\r\n\r\n2020-11-24\r\nGET \/share\/kvNqzh1tF4Y8zyxtL\/HQpK6K42Wr8SP9PLJSqxc5h\/ROwPcKsG\/dbULREqlb1Kj0_RRT\/Dfnj\/lxnt10\r\n\r\n\r\n\r\nTable 1. URL patterns generated by macros from Word docs distributed by TA551.\r\nBy Oct. 27, 2020, URLs generated by TA551 macros include English terms like update or share at the beginning of the HTTP GET request. These URLs end with a series of four to six lowercase English letters followed by a number as low as 1 to as high as 18. These URLs are not consistent in length, and they can be very short or very long.\r\n\r\nSince November 2020, we have also noticed minor changes in artifacts generated during IcedID infections, including those outside of the TA551 campaign.\r\n\r\nFor example, through early November 2020, IcedID DLLs created by installer DLLs were initially saved to the victim\u2019s AppData\\Local\\Temp directory, and the file name started with a tilde (~) and ended with .dll as illustrated earlier in Figure 6. In November 2020, we started to see a change: the initial IcedID DLLs saved to the victim\u2019s AppData\\Local directory with a file name ending in .dat as shown in Figure 15.\r\n\r\n[caption id=\"attachment_116640\" align=\"aligncenter\" width=\"900\"] Figure 15. Artifacts seen from a TA551 IcedID infection on Nov. 24, 2020.[\/caption]\r\n\r\nThese changes may be an effort by malware developers to evade detection. At the very least, they might confuse someone conducting forensic analysis on an infected host.\r\n\r\nSuch changes are commonly seen in malware families as they evolve over time. We can expect to see more changes with IcedID malware and the TA551 campaign during the coming months.\r\n\r\nFinally, the run method for installer DLLs retrieved by TA551 Word macros changed during November 2020:\r\n\r\n \tOld method: regsvr32.exe [installer DLL filename]\r\n \tNew method: rundll32.exe [installer DLL filename],ShowDialogA -r\r\n\r\nHowever, up-to-date information is necessary to ensure proper detection for a constantly-evolving campaign like TA551.\r\nConclusion\r\nTA551 has evolved since we last reviewed this threat actor deploying Valak malware in July 2020. We frequently saw IcedID as follow-up malware in previous months from Valak and Ursnif infections installed by TA551. This threat actor appears to have eliminated malware downloaders like Valak and Ursnif and is now deploying IcedID directly.\r\n\r\nAlthough TA551 has settled on IcedID as its malware payload, we continue to see changes in traffic patterns and infection artifacts as this campaign evolves.\r\n\r\nOrganizations with adequate spam filtering, proper system administration and up-to-date Windows hosts have a much lower risk of infection. Palo Alto Networks Next-Generation Firewall customers are further protected from this threat with the Threat Prevention security subscription, which detects the malware.\u00a0AutoFocus\u00a0customers can track this activity using the\u00a0TA551\u00a0and\u00a0IcedID\u00a0tags.\r\nIndicators of Compromise\r\nThis GitHub repository currently has more than 50 text files containing various indicators associated with TA551 from mid-July 2020-November 2020. Each text file represents a specific day the campaign was active, and it contains SHA256 hashes, document names, associated URLs and other related data, some of which we\u2019ve also shared through our Twitter handle @Unit42_Intel.","publisher":{"@type":"Organization","@id":"#panworg"},"image":{"@type":"ImageObject","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/10_Business_email_compromise_Category_1920x900-300x300.jpg","width":300,"height":300},"speakable":{"@type":"SpeakableSpecification","xPath":["\/html\/head\/title","\/html\/head\/meta[@name='description']\/@content"]},"author":[{"@type":"Person","name":"Brad Duncan"}]}</script><link rel='stylesheet' id='crayon-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta' media='all' /> <style id='co-authors-plus-coauthors-style-inline-css'> .wp-block-co-authors-plus-coauthors.is-layout-flow [class*=wp-block-co-authors-plus]{display:inline} </style> <style id='co-authors-plus-avatar-style-inline-css'> .wp-block-co-authors-plus-avatar :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-avatar :where(img){vertical-align:middle}.wp-block-co-authors-plus-avatar:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-avatar.aligncenter{display:table;margin-inline:auto} </style> <style id='co-authors-plus-image-style-inline-css'> .wp-block-co-authors-plus-image{margin-bottom:0}.wp-block-co-authors-plus-image :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-image :where(img){vertical-align:middle}.wp-block-co-authors-plus-image:is(.alignfull,.alignwide) :where(img){width:100%}.wp-block-co-authors-plus-image:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-image.aligncenter{display:table;margin-inline:auto} </style> <style id='safe-svg-svg-icon-style-inline-css'> .safe-svg-cover{text-align:center}.safe-svg-cover .safe-svg-inside{display:inline-block;max-width:100%}.safe-svg-cover svg{height:100%;max-height:100%;max-width:100%;width:100%} </style> <style id='classic-theme-styles-inline-css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='post-views-counter-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/css/frontend.min.css?ver=1.4.8' media='all' /> <link rel='stylesheet' id='wpml-legacy-post-translations-0-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-post-translations/style.min.css?ver=1' media='all' /> <link rel='stylesheet' id='unit42-v6-style-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/style.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-head-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/head-styles.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v5-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-plugin-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/plugin.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main-redesign.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='like-dislike-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/css/ldc-lite.css?ver=1.0.0' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script id="crayon_js-js-extra"> var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""}; var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js?ver=_2.7.2_beta" id="crayon_js-js"></script> <script id="post-views-counter-frontend-js-before"> var pvcArgsFrontend = {"mode":"js","postID":116579,"requestURL":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","nonce":"4c1448bc35","dataStorage":"cookies","multisite":false,"path":"\/","domain":""}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/js/frontend.min.js?ver=1.4.8" id="post-views-counter-frontend-js"></script> <script id="wpml-xdomain-data-js-extra"> var wpml_xdomain_data = {"css_selector":"wpml-ls-item","ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","current_lang":"en","_nonce":"25bebc0ffc"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/res/js/xdomain-data.js?ver=4.6.15" id="wpml-xdomain-data-js" defer data-wp-strategy="defer"></script> <link rel="https://api.w.org/" href="https://unit42.paloaltonetworks.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://unit42.paloaltonetworks.com/wp-json/wp/v2/posts/116579" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://unit42.paloaltonetworks.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7.1" /> <link rel='shortlink' href='https://unit42.paloaltonetworks.com/?p=116579' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fta551-shathak-icedid%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fta551-shathak-icedid%2F&#038;format=xml" /> <meta name="generator" content="WPML ver:4.6.15 stt:1,28;" /> <meta name="google-site-verification" content="zHZtYOWm9hm4SZgsH7wqiYcOwmsAsxDUDU4UD1QxB40" /><style>#wpdevart_lb_overlay{background-color:#000000;} #wpdevart_lb_overlay.wpdevart_opacity{opacity:0.8 !important;} #wpdevart_lb_main_desc{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ width:100%; padding-top:0px; padding-bottom:0px; } #wpdevart_info_counter_of_imgs{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_caption{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_title{ display: inline-block; padding-left:5px; padding-right:5px; font-size:15px; color:#000000; } @-webkit-keyframes rotate { to {-webkit-transform: rotate(360deg);} from {-webkit-transform: rotate(0deg);} } @keyframes rotate { to {transform: rotate(360deg);} from {transform: rotate(0deg);} } #wpdevart_lb_loading_img,#wpdevart_lb_loading_img_first{ -webkit-animation: rotate 2s linear infinite; animation: rotate 2s linear infinite; } </style> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="32x32" /> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <meta name="msapplication-TileImage" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <script>var $ = jQuery;</script> <script type="text/javascript"> ;(function(win, doc, style, timeout) { var STYLE_ID = 'at-body-style'; function getParent() { return doc.getElementsByTagName('head')[0]; } function addStyle(parent, id, def) { if (!parent) { return; } var style = doc.createElement('style'); style.id = id; style.innerHTML = def; parent.appendChild(style); } function removeStyle(parent, id) { if (!parent) { return; } var style = doc.getElementById(id); if (!style) { return; } parent.removeChild(style); } addStyle(getParent(), STYLE_ID, style); setTimeout(function() { removeStyle(getParent(), STYLE_ID); }, timeout); }(window, document, "body {visibility:hidden !important}", 3000)); </script> <script src="https://assets.adobedtm.com/9273d4aedcd2/0d76ae0322d7/launch-425c423d843b.min.js" async></script> <script type="text/javascript" src="https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/attribution.js"></script> <script type="text/javascript"> var isIE11 = !!navigator.userAgent.match(/Trident.*rv\:11\./); if(isIE11){ var polyfill = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/scripts/polyfill.min.js'; document.write('<script type="text/javascript" src="'+polyfill+'">\x3C/script>'); } /** * String.prototype.replaceAll() polyfill * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/ * @author Chris Ferdinandi * @license MIT */ if (!String.prototype.replaceAll) { String.prototype.replaceAll = function(str, newStr){ // If a regex pattern if (Object.prototype.toString.call(str).toLowerCase() === '[object regexp]') { return this.replace(str, newStr); } // If a string return this.replace(new RegExp(str, 'g'), newStr); }; } /*! lozad.js - v1.16.0 - 2020-09-06 */ !function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):t.lozad=e()}(this,function(){"use strict"; /** * Detect IE browser * @const {boolean} * @private */var g="undefined"!=typeof document&&document.documentMode,f={rootMargin:"0px",threshold:0,load:function(t){if("picture"===t.nodeName.toLowerCase()){var e=t.querySelector("img"),r=!1;null===e&&(e=document.createElement("img"),r=!0),g&&t.getAttribute("data-iesrc")&&(e.src=t.getAttribute("data-iesrc")),t.getAttribute("data-alt")&&(e.alt=t.getAttribute("data-alt")),r&&t.append(e)}if("video"===t.nodeName.toLowerCase()&&!t.getAttribute("data-src")&&t.children){for(var a=t.children,o=void 0,i=0;i<=a.length-1;i++)(o=a[i].getAttribute("data-src"))&&(a[i].src=o);t.load()}t.getAttribute("data-poster")&&(t.poster=t.getAttribute("data-poster")),t.getAttribute("data-src")&&(t.src=t.getAttribute("data-src")),t.getAttribute("data-srcset")&&t.setAttribute("srcset",t.getAttribute("data-srcset"));var n=",";if(t.getAttribute("data-background-delimiter")&&(n=t.getAttribute("data-background-delimiter")),t.getAttribute("data-background-image"))t.style.backgroundImage="url('"+t.getAttribute("data-background-image").split(n).join("'),url('")+"')";else if(t.getAttribute("data-background-image-set")){var d=t.getAttribute("data-background-image-set").split(n),u=d[0].substr(0,d[0].indexOf(" "))||d[0];// Substring before ... 1x u=-1===u.indexOf("url(")?"url("+u+")":u,1===d.length?t.style.backgroundImage=u:t.setAttribute("style",(t.getAttribute("style")||"")+"background-image: "+u+"; background-image: -webkit-image-set("+d+"); background-image: image-set("+d+")")}t.getAttribute("data-toggle-class")&&t.classList.toggle(t.getAttribute("data-toggle-class"))},loaded:function(){}};function A(t){t.setAttribute("data-loaded",!0)}var m=function(t){return"true"===t.getAttribute("data-loaded")},v=function(t){var e=1<arguments.length&&void 0!==arguments[1]?arguments[1]:document;return t instanceof Element?[t]:t instanceof NodeList?t:e.querySelectorAll(t)};return function(){var r,a,o=0<arguments.length&&void 0!==arguments[0]?arguments[0]:".lozad",t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:{},e=Object.assign({},f,t),i=e.root,n=e.rootMargin,d=e.threshold,u=e.load,g=e.loaded,s=void 0;"undefined"!=typeof window&&window.IntersectionObserver&&(s=new IntersectionObserver((r=u,a=g,function(t,e){t.forEach(function(t){(0<t.intersectionRatio||t.isIntersecting)&&(e.unobserve(t.target),m(t.target)||(r(t.target),A(t.target),a(t.target)))})}),{root:i,rootMargin:n,threshold:d}));for(var c,l=v(o,i),b=0;b<l.length;b++)(c=l[b]).getAttribute("data-placeholder-background")&&(c.style.background=c.getAttribute("data-placeholder-background"));return{observe:function(){for(var t=v(o,i),e=0;e<t.length;e++)m(t[e])||(s?s.observe(t[e]):(u(t[e]),A(t[e]),g(t[e])))},triggerLoad:function(t){m(t)||(u(t),A(t),g(t))},observer:s}}}); </script> <!-- <script src="https://www.google.com/recaptcha/api.js"></script> --> <!-- End: Scripts Migrated From Unit42-v5 --> </head> <body class="post-template-default single single-post postid-116579 single-format-standard no-sidebar"> <header class="haeder py-15 position-relative z-index-2" style="display: none;"> <div class="container px-sm-30 px-35"> <div class="row"> <div class="first-logo col-sm-auto col-6 mb-sm-0 mb-40 text-sm-center order-1"> <a href="https://www.paloaltonetworks.com/"> <img src="/wp-content/uploads/2021/07/PANW_Parent.png" width="140px" alt="Logo" /> </a> </div> <div class="col-sm-auto col-6 text-sm-center order-sm-2 order-4 second-logo-unit"> <a href="https://unit42.paloaltonetworks.com/"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/unit42-logo-white.svg" class="attachment-full size-full" alt="Unit42 Logo" width="150" height="35"/> </a> </div> <div class="col-auto d-sm-none ml-auto mb-40 order-2"> <button class="btn__search" data-toggle="collapse" data-target="#search" aria-label="search"><i class="ui ui-1"></i></button> </div> <div id="search" class="collapse d-sm-block col-sm-auto col-12 ml-auto order-3"> <div class="pt-sm-0 pt-20 pb-sm-0 pb-40 mt-sm-0 mt-n30"> <input type="search" placeholder="Search Unit 42" id="innerSearch" class="header__search" value="" required aria-label="Inner Search"> </div> </div> <div class="col-auto d-sm-none d-flex ml-auto align-items-center order-5"> <button class="btn__menu rounded" data-toggle="collapse" data-target="#navigation">Menu</button> </div> </div> </div> </header> <nav id="navigation" class="site-nav collapse d-sm-block pb-20 mt-sm-10" style="display: none!important;"> <div class="container px-sm-30"> <ul id="menu-primary-navigation" class="main-menu d-sm-flex font-weight-medium"><li id="menu-item-97290" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-97290"><a href="https://unit42.paloaltonetworks.com/tools/">Tools</a></li> <li id="menu-item-41" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-41"><a href="https://unit42.paloaltonetworks.com/atoms/">ATOMs</a></li> <li id="menu-item-119884" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-119884"><a target="_blank" href="https://www.paloaltonetworks.com/unit42">Security Consulting</a></li> <li id="menu-item-81229" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-81229"><a href="https://unit42.paloaltonetworks.com/about-unit-42/">About Us</a></li> <li id="menu-item-121229" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-121229"><a href="https://start.paloaltonetworks.com/contact-unit42.html"><b style="color:#C84727">Under Attack?</b></a></li> </ul> </div> </nav> <div class="panClean pan-template-home" id="main-nav-menu-cont" style="display:none;"> <div class="cleanHeader mainNavigationComp baseComponent parbase"> <div class="productNav2021Component dark default" id="PAN_2021_NAV_ASYNC"> </div> </div> <div class="cleanTopHtml htmlComp baseComponent parbase"><div class="base-component-spacer spacer-none "></div> </div> </div> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> function getCookie(cname) { var name = cname + "="; var decodedCookie = decodeURIComponent(document.cookie); var ca = decodedCookie.split(';'); for(var i = 0; i <ca.length; i++) { var c = ca[i]; while (c.charAt(0) == ' ') { c = c.substring(1); } if (c.indexOf(name) == 0) { return c.substring(name.length, c.length); } } return ""; } var referer = "";//sessionStorage.container; var pcontainer = sessionStorage.getItem("container"); var searchResultsPagePath = ""; if(((pcontainer) && pcontainer.indexOf('Prisma')!=-1)){ referer = 'Prisma' ; } else if(((pcontainer) && pcontainer.indexOf('Cortex')!=-1)){ if( pcontainer.indexOf('CloudCortex') != -1){ referer = 'CloudCortex' ; } else{ referer = 'Cortex' ; } } else if(((pcontainer) && pcontainer.indexOf('Sase')!=-1)){ referer = 'Sase' ; } else if(((pcontainer) && pcontainer.indexOf('Unit')!=-1)){ referer = 'Unit' ; } else if(((pcontainer) && pcontainer.indexOf('Ngfw')!=-1)){ referer = 'Ngfw' ; } var fromRef = document.referrer; var nContainer = getCookie("navContainer"); if(nContainer){//If user is coming from main site, we need to reset the container if(fromRef && fromRef.indexOf("prismacloud.io")!=-1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } else if(fromRef.indexOf("paloaltonetworks.com")!=-1 || fromRef.indexOf("paloaltonetworks.jp")!=-1 ){ if(nContainer.indexOf('Prisma') != -1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } if(nContainer.indexOf('Cortex') != -1){ if( nContainer.indexOf('CloudCortex') != -1){ referer = 'CloudCortex'; sessionStorage.setItem("container","CloudCortex"); } else{ referer = 'Cortex'; sessionStorage.setItem("container","Cortex"); } } if(nContainer.indexOf('Sase') != -1){ referer = 'Sase' ; sessionStorage.setItem("container","Sase"); } if(nContainer.indexOf('Unit') != -1){ referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } if(nContainer.indexOf('Ngfw') != -1){ referer = 'Ngfw' ; sessionStorage.setItem("container","Ngfw"); } document.cookie = 'navContainer=; path=/; domain=.paloaltonetworks.com; expires=' + new Date(0).toUTCString(); } } if(referer != "Prisma" && referer != "CloudCortex" && referer != "Cortex" && referer != "Sase" && referer != "Unit" && referer != "Ngfw") { referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } function callMainSitePrismaNavHTML(){ var referrer_domain = 'https://www.paloaltonetworks.com'; sessionStorage.setItem("domain",referrer_domain); if(referer == 'Prisma'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html'; searchResultsPagePath = referrer_domain+"/search/prismasearch"; } if(referer == 'CloudCortex'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/unit-nav-renderer.php?type=cortexcloud'; searchResultsPagePath = referrer_domain+"/search/cortexcloudsearch"; } if(referer == 'Cortex'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderCortex.cortexRenderer.html'; searchResultsPagePath = referrer_domain+"/search/cortexsearch"; } if(referer == 'Sase'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderSase.saseRenderer.html'; searchResultsPagePath = referrer_domain+"/search/sasesearch"; } if(referer == 'Unit'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/unit-nav-renderer.php?type=unit42'; searchResultsPagePath = referrer_domain+"/content/pan/en_US/search/unit42search"; } if(referer == 'Ngfw'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/ngfw-cdss-nav-renderer.php'; searchResultsPagePath = referrer_domain+"/search/ngfwcdsssearch"; } httpGet(menu_url,'menu_html'); document.getElementById('main-nav-menu-cont').removeAttribute("style"); } function addStyle(styles) { /* Create style document */ var css = document.createElement('style'); css.type = 'text/css'; if (css.styleSheet) css.styleSheet.cssText = styles; else css.appendChild(document.createTextNode(styles)); /* Append style to the tag name */ document.getElementsByTagName("head")[0].appendChild(css); } function httpGet(theUrl,req_type) { if (window.XMLHttpRequest) { // code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { if(req_type == 'menu_html'){ var nav_text = xmlhttp.responseText.replaceAll('https://static.cloud.coveo.com/searchui/v2.9159/js/CoveoJsSearch.Lazy.min.js', ''); nav_text = nav_text.replaceAll('src="/', 'src="'+maindomain_lang+'/'); nav_text = nav_text.replaceAll("'/content", "'"+maindomain_lang+"/content"); document.getElementById("PAN_2021_NAV_ASYNC").innerHTML = nav_text.replaceAll('href="/', 'href="'+maindomain_lang+'/'); var lozad_back = document.getElementsByClassName('lozad-background'); Array.prototype.forEach.call(lozad_back, function(el) { // Do stuff here var el_back_img_path = el.getAttribute('data-background-image'); var first_pos = el_back_img_path.indexOf("'"); var last_pos = el_back_img_path.indexOf("'",first_pos+1); el_back_img_path = el_back_img_path.substring(first_pos+1,last_pos); el.setAttribute("data-background-image",main_site_url+el_back_img_path); }); const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad' observer_lozad.observe(); } if(req_type == 'head_inline_css'){ addStyle(xmlhttp.responseText); } } } xmlhttp.open("GET", theUrl, true ); xmlhttp.send(); } if(referer == 'Prisma' || referer == 'CloudCortex' || referer == 'Cortex' || referer == 'Sase' || referer == 'Unit' || referer == 'Ngfw'){ const article = document.querySelector('#PAN_2021_NAV_ASYNC'); if(referer == 'Prisma'){ article.dataset.type = 'prisma'; $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } else if(referer == 'CloudCortex'){ article.dataset.type = 'cloudcortex'; } else if(referer == 'Sase'){ article.dataset.type = 'sase'; } else if(referer == 'Unit'){ article.dataset.type = 'unit'; } else if(referer == 'Ngfw'){ article.dataset.type = 'ngfw'; } //set class to default if(referer == 'Unit' || referer == 'Ngfw'){ $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } callMainSitePrismaNavHTML(); } </script> <!-- End: Scripts Migrated From Unit42-v5 --> <main class="main"> <section class="section section--article"> <div class="pa article-banner" style="background-image:url('https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/10_Business_email_compromise_Category_1920x900.jpg')"> <div class="l-container"> <div class="l-breadcrumbs"> <ul> <li> <a href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:breadcrumb:Threat Research">Threat Research Center</a></li><li><a href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" title="Threat Research" data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:breadcrumb:Threat Research">Threat Research</a></li><li class="is-current"><a href="https://unit42.paloaltonetworks.com/category/malware/" role="link" title="Malware" data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:breadcrumb:Malware">Malware</a></li> </ul> </div> <div class="ab__title"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/malware/" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:Malware"><span class="ab-title__pre">Malware</span></a> <h1>TA551: Email Attack Campaign Switches from Valak to IcedID</h1> <div class="ab__video"> <span class="duration"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-clock.svg" alt="Clock Icon"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 9</span> <span class="rt-label rt-postfix"></span></span> min read </span> </div> <div class="ab-lc__wrapper"> <span class="ab-title__pre">Related Products</span><div class="ab__link-cards"><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/advanced-threat-prevention/" style="--card-color: #ffcb06" role="link" title="Advanced Threat Prevention" data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:Advanced Threat Prevention"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png" alt="Advanced Threat Prevention icon">Advanced Threat Prevention</a><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/next-generation-firewall/" style="--card-color: #ffcb06" role="link" title="Next-Generation Firewall" data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:Next-Generation Firewall"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png" alt="Next-Generation Firewall icon">Next-Generation Firewall</a></div> </div> </div> </div> <div class="ab__footer"> <div class="l-container"> <div class="ab__footer-wrapper"> <ul class="ab__features" role="list"> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-profile-grey.svg" alt="Profile Icon"> <div class="ab__text"><span>By:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:Brad Duncan" href="https://unit42.paloaltonetworks.com/author/bduncan/">Brad Duncan</a></li></ul></div></li> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-calendar-grey.svg" alt="Published Icon"> <div class="ab__text"><span>Published:</span>January 7, 2021</div></li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-category.svg" alt="Tags Icon"><div class="ab__text"><span>Categories:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:Malware" href="https://unit42.paloaltonetworks.com/category/malware/">Malware</a></li><li><a data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:Threat Research" href="https://unit42.paloaltonetworks.com/category/threat-research/">Threat Research</a></li></ul></div> </li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-tags-grey.svg" alt="Tags Icon"><div class="ab__text"><span>Tags:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:IcedID" href="https://unit42.paloaltonetworks.com/tag/icedid/">IcedID</a></li><li><a data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:Shathak" href="https://unit42.paloaltonetworks.com/tag/shathak/">Shathak</a></li><li><a data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:TA551" href="https://unit42.paloaltonetworks.com/tag/ta551/">TA551</a></li><li><a data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:Ursnif" href="https://unit42.paloaltonetworks.com/tag/ursnif/">Ursnif</a></li><li><a data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:Valak" href="https://unit42.paloaltonetworks.com/tag/valak/">Valak</a></li></ul></div> </li> </ul> <div class="ab__options"> <ul role="list"> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/?pdf=download&#038;lg=en&#038;_wpnonce=cb522ded73" role="link" target="_blank" title="Click here to download" data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:pdfdownload"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-download.svg" alt="Download Icon"></a></li> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/?pdf=print&#038;lg=en&#038;_wpnonce=cb522ded73" target="_blank" role="link" title="Click here to print" data-page-track="true" data-page-track-value="ta551-shathak-icedid:hero:pdfprint"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-print.svg" alt="Print Icon"></a></li> </ul> <div class="ab__share" id="shareDropdown" role="button" aria-expanded="false"> <a href="#" role="link" title="Click here to share" data-page-track="true" data-page-track-value="ta551-shathak-icedid:share" class="">Share<img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"></a><ul class="share-dropdown" role="menu"> <li role="menuitem"> <a href="#" class="copy-url" id="copyUrl" data-url="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/" role="link" title="Copy link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:share:link"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-share-link.svg" alt="Link Icon"></a> </li> <li role="menuitem"> <a href="mailto:?subject=TA551:%20Email%20Attack%20Campaign%20Switches%20from%20Valak%20to%20IcedID&#038;body=Check%20out%20this%20article%20https%3A%2F%2Funit42.paloaltonetworks.com%2Fta551-shathak-icedid%2F" role="link" title="Share in email" data-page-track="true" data-page-track-value="ta551-shathak-icedid:share:email"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-sms.svg" alt="Link Email"></a> </li> <li role="menuitem"> <a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Funit42.paloaltonetworks.com%2Fta551-shathak-icedid%2F" target="_blank" role="link" title="Share in Facebook" data-page-track="true" data-page-track-value="ta551-shathak-icedid:share:facebook"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-fb-share.svg" alt="Facebook Icon"></a> </li> <li role="menuitem"> <a href="https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fta551-shathak-icedid%2F&#038;title=TA551:%20Email%20Attack%20Campaign%20Switches%20from%20Valak%20to%20IcedID" target="_blank" role="link" title="Share in LinkedIn" data-page-track="true" data-page-track-value="ta551-shathak-icedid:share:linkedin"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-linkedin-share.svg" alt="LinkedIn Icon"></a> </li> <li role="menuitem"> <a href="https://twitter.com/intent/tweet?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fta551-shathak-icedid%2F&#038;text=TA551:%20Email%20Attack%20Campaign%20Switches%20from%20Valak%20to%20IcedID" target="_blank" role="link" title="Share in Twitter" data-page-track="true" data-page-track-value="ta551-shathak-icedid:share:twitter"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-twitter-share.svg" alt="Twitter Icon"></a> </li> <li role="menuitem"> <a href="//www.reddit.com/submit?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fta551-shathak-icedid%2F" target="_blank" role="link" title="Share in Reddit" data-page-track="true" data-page-track-value="ta551-shathak-icedid:share:reddit"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-reddit-share.svg" alt="Reddit Icon"></a> </li> <li role="menuitem"> <a href="https://mastodon.social/share?text=TA551:%20Email%20Attack%20Campaign%20Switches%20from%20Valak%20to%20IcedID%20https%3A%2F%2Funit42.paloaltonetworks.com%2Fta551-shathak-icedid%2F" target="_blank" role="link" title="Share in Mastodon" data-page-track="true" data-page-track-value="ta551-shathak-icedid:share:mastodon"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-mastodon-share.svg" alt="Mastodon Icon"></a> </li> </ul> </div> </div> </div> </div> </div> </div> </section> <section class="section blog-contents"> <div class="pa blog-editor"> <div class="l-container"> <div class="be__wrapper"> <div class="be__contents"> <div class="be__contents-wrapper"> <p class="wpml-ls-statics-post_translations wpml-ls">This post is also available in: <span class="wpml-ls-slot-post_translations wpml-ls-item wpml-ls-item-ja wpml-ls-first-item wpml-ls-last-item wpml-ls-item-legacy-post-translations"><a href="https://unit42.paloaltonetworks.jp/ta551-shathak-icedid/" class="wpml-ls-link"><span class="wpml-ls-native" lang="ja">日本語</span><span class="wpml-ls-display"><span class="wpml-ls-bracket"> (</span>Japanese<span class="wpml-ls-bracket">)</span></span></a></span></p><h2>Executive Summary</h2> <p>TA551 (also known as Shathak) is an email-based malware distribution campaign that often targets English-speaking victims. The campaign discussed in this blog has targeted German, Italian and Japanese speakers. TA551 has historically pushed different families of information-stealing malware like <a href="https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/">Ursnif</a> and Valak. After mid-July 2020, this campaign has exclusively pushed IcedID malware, another information stealer.</p> <p>This blog provides an overview of TA551, as well as previous activity from this campaign. We also examine changes from this campaign since our previous blog about <a href="https://unit42.paloaltonetworks.com/valak-evolution/">TA551 pushing Valak</a> in July 2020.</p> <p>Palo Alto Networks <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall">Next-Generation Firewall</a> customers are protected from this threat with the <a href="https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/threat-prevention">Threat Prevention</a> security subscription, which detects the malware. <a href="https://www.paloaltonetworks.com/cortex/autofocus">AutoFocus</a> customers can track this activity using the <a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.TA551">TA551</a> and <a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.IcedID">IcedID</a> tags.</p> <h2>Infection Chain of Events</h2> <p>From mid-July through November 2020, TA551 has remained consistent in its infection process. A flow chart for the chain of events is shown in Figure 1.</p> <figure id="attachment_116612" aria-describedby="caption-attachment-116612" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116612 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-15.jpeg" alt="TA551 (Shathak) chain of events include 1) malicious email with attachment, 2) attached zip archive, password-protected, 3) extracted Word document, 4) enable macros, 5) HTTP traffic for IcedID installer, 6) installer DLL, 7) HTTPS traffic for IcedID binary, 8) IcedID binary persistent on the infected host, 9) HTTPS post-infection traffic. " width="900" height="502" /><figcaption id="caption-attachment-116612" class="wp-caption-text">Figure 1. Chain of events for TA551 (Shathak) from July through November 2020.</figcaption></figure> <p>The initial lure is an email spoofing an email chain. These email chains are retrieved from email clients on previously infected hosts. The message has an attached ZIP archive and a message informing the user of a password necessary to open the attachment.</p> <p>After opening the ZIP archive, the victim finds a Microsoft Word document with macros. If the victim enables macros on a vulnerable Windows computer, the victim’s host retrieves an installer DLL for IcedID malware. This will infect a vulnerable Windows computer. See FIgures 2-7 for a recent example targeting a Japanese-speaking victim.</p> <figure id="attachment_116614" aria-describedby="caption-attachment-116614" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116614 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-16.jpeg" alt="A malicious email targeting a Japanese-speaking victim on Nov. 4, 2020, including a ZIP archive that leads to an installer DLL for IcedID malware. " width="900" height="528" /><figcaption id="caption-attachment-116614" class="wp-caption-text">Figure 2. An example of TA551 email targeting a Japanese-speaking victim on Nov. 4, 2020.</figcaption></figure> <figure id="attachment_116616" aria-describedby="caption-attachment-116616" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116616 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-17.jpeg" alt="The screenshot shows a user opening the ZIP archive using the password provided in the malicious email. " width="900" height="387" /><figcaption id="caption-attachment-116616" class="wp-caption-text">Figure 3. Using password from the message to open the ZIP archive.</figcaption></figure> <figure id="attachment_116618" aria-describedby="caption-attachment-116618" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116618 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-18.jpeg" alt="The Word document retrieved from the malicious ZIP archive contains macros which can harm a vulnerable computer if enabled. " width="900" height="520" /><figcaption id="caption-attachment-116618" class="wp-caption-text">Figure 4. Screenshot of Word document from the ZIP archive.</figcaption></figure> <figure id="attachment_116620" aria-describedby="caption-attachment-116620" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116620 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-19.jpeg" alt="The screenshot shows traffic from an IcedID infection filtered in Wireshark. " width="900" height="414" /><figcaption id="caption-attachment-116620" class="wp-caption-text">Figure 5. Traffic from an infection filtered in Wireshark.</figcaption></figure> <figure id="attachment_116622" aria-describedby="caption-attachment-116622" style="width: 900px" class="wp-caption alignnone"><img class="wp-image-116622 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-20.jpeg" alt="Files and directories created during the infection process on a Windows host include the inital IcedID DLL, installer DLL, copy of mshta.exe and persistent IcedID DLL. These files and directories are indicated with red arrows in the screenshot. " width="900" height="545" /><figcaption id="caption-attachment-116622" class="wp-caption-text">Figure 6. Files and directories created during the infection process on a Windows host.</figcaption></figure> <figure id="attachment_116624" aria-describedby="caption-attachment-116624" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116624 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-21.jpeg" alt="The screenshot shows a scheduled task with &quot;multiple triggers defined.&quot; This task keeps the IcedID infection persistent on an infected Windows host. " width="900" height="465" /><figcaption id="caption-attachment-116624" class="wp-caption-text">Figure 7. Scheduled task to keep the IcedID infection persistent on an infected Windows host.</figcaption></figure> <h2>TA551 Switches to IcedID</h2> <p>We have a <a href="https://github.com/pan-unit42/iocs/tree/master/TA551">GitHub repository where we track recent TA551 activity</a>. The repository contains information on each wave of attack from TA551 since July 6, 2020. Starting on July 14, 2020, we have only seen IcedID malware from these waves of attack.</p> <p>Since July 14, 2020, these waves of malspam consistently targeted English-speaking victims until <a href="https://github.com/pan-unit42/iocs/blob/master/TA551/2020-10-27-TA551-IOCs-for-IcedID.txt">Oct. 27, 2020</a>, when we started seeing Japanese templates for the Word documents. TA551 consistently targeted Japanese-speaking victims from Oct. 27-<a href="https://github.com/pan-unit42/iocs/blob/master/TA551/2020-11-19-and-11-20-TA551-IOCs-for-IcedID.txt">Nov. 20, 2020</a>. After approximately three weeks of Japanese-focused attacks, TA551 switched back to English-speaking victims starting on <a href="https://github.com/pan-unit42/iocs/blob/master/TA551/2020-11-24-TA551-IOCs-for-IcedID.txt">Nov. 24, 2020</a>.</p> <p>Regardless of the targeted group, TA551 continues to push IcedID as its malware payload.</p> <h2>History of TA551</h2> <p>We have traced TA551 as far back as February 2019, and since that time, we have noted the following characteristics:</p> <ul> <li>TA551 has distributed different families of malware, including <a href="https://isc.sans.edu/forums/diary/Ursnif+infection+with+Dridex/25566/">Ursnif (Gozi/ISFB)</a>, <a href="https://unit42.paloaltonetworks.com/valak-evolution/">Valak</a> and <a href="https://isc.sans.edu/forums/diary/TA551+Shathak+Word+docs+push+IcedID+Bokbot/26438/">IcedID</a>.</li> <li>TA551 malspam spoofs legitimate email chains based on data retrieved from previously infected Windows hosts. It sends copies of these email chains to recipients of the original email chain.</li> <li>The spoofed email includes a short message as the most recent item in the chain. This is a generic statement asking the recipient to open an attached ZIP archive using the supplied password.</li> <li>File names for the ZIP archives use the name of the company being spoofed in the email. For example, if the spoofed sender is <span style="font-family: 'courier new', courier, monospace;">someone@companyname.com</span>, the ZIP attachment would be named <span style="font-family: 'courier new', courier, monospace;">companyname.zip</span>.</li> <li>In 2020, we also started seeing emails with info.zip or request.zip as the attached ZIP archive names.</li> <li>These password-protected ZIP attachments contain a Word document with macros to install malware.</li> <li>File names for the extracted Word documents follow noticeable patterns that have evolved as this campaign has progressed.</li> <li>URLs generated by the associated Word macros also follow noticeable patterns that have also evolved as this campaign has progressed.</li> </ul> <h2>TA551 in 2019</h2> <p>Figure 8 shows the earliest email we can confirm from this campaign, dated Feb. 4, 2019. It targeted an English-speaking recipient and pushed Ursnif malware.</p> <figure id="attachment_116626" aria-describedby="caption-attachment-116626" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116626 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-22.jpeg" alt="TA551 malspam from February 2019 includes extracted document name: Request11.doc" width="900" height="551" /><figcaption id="caption-attachment-116626" class="wp-caption-text">Figure 8. Example of TA551 malspam from February 2019.</figcaption></figure> <p>The following files are associated with the above example:</p> <ul> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">3dab8a906b30e1371b9aab1895cd5aef75294b747b7291d5c308bb19fbc5db10</span></li> <li>File size: 157,696 bytes</li> <li>File name: <span style="font-family: 'courier new', courier, monospace;">Request11.doc</span></li> <li>File description: Word doc with macro for Ursnif (Gozi/ISFB)</li> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">3afc28d4613e359b2f996b91eeb0bbe1a57c7f42d2d4b18e4bb6aa963f58e3ff</span></li> <li>File size: 284,160 bytes</li> <li>File location: <span style="font-family: 'courier new', courier, monospace;">hxxp://gou20lclair[.]band/xap_102b-AZ1/704e.php?l=zyteb12.gas</span></li> </ul> <p>File description: Example of Windows EXE retrieved by Word macro – an installer for Ursnif</p> <p>Figure 9 shows an email from this campaign dated April 2, 2019. It targeted an Italian-speaking recipient and pushed Ursnif malware.</p> <figure id="attachment_116628" aria-describedby="caption-attachment-116628" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116628 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-23.jpeg" alt="TA551 malspam from April 2019 includes extracted document name: doc_02.04.doc" width="900" height="556" /><figcaption id="caption-attachment-116628" class="wp-caption-text">Figure 9. Example of TA551 malspam from April 2019.</figcaption></figure> <p>The following files are associated with the above example:</p> <ul> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">582213137bebc93192b0429f6687c859f007ef03e6a4c620eada8d98ca5d76ba</span></li> <li>File size: 91,136 bytes</li> <li>File name: <span style="font-family: 'courier new', courier, monospace;">doc_02.04.doc</span></li> <li>File description: Word doc with macro for Ursnif</li> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">8c72d5e5cb81f7a7c2b4881aff3be62cdc09caa52f93f9403166af74891c256e</span></li> <li>File size: 606,208 bytes</li> <li>File location: <span style="font-family: 'courier new', courier, monospace;">hxxp://seauj35ywsg[.]com/2poef1/j.php?l=zepax4.fgs</span></li> <li>File description: Example of Windows EXE to install Ursnif retrieved by a macro associated with this wave of Word documents</li> </ul> <p>Figure 10 shows an email from this campaign dated Oct. 30, 2019. It targeted a German-speaking recipient and pushed Ursnif malware.</p> <figure id="attachment_116630" aria-describedby="caption-attachment-116630" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116630 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-24.jpeg" alt="TA551 malspam from October 2019 includes extracted document name: info_10_30.doc" width="900" height="554" /><figcaption id="caption-attachment-116630" class="wp-caption-text">Figure 10. Example of TA551 malspam from October 2019.</figcaption></figure> <p>The following files are associated with the above example:</p> <ul> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">10ed909ab789f2a83e4c6590da64a6bdeb245ec9189d038a8887df0dae46df2a</span></li> <li>File size: 269,312 bytes</li> <li>File name: <span style="font-family: 'courier new', courier, monospace;">info_10_30.doc</span></li> <li>File description: Word doc with macro for Ursnif</li> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">9e5008090eaf25c0fe58e220e7a1276e5501279da4bb782f92c90f465f4838cc</span></li> <li>File size: 300,032 bytes</li> <li>File location: <span style="font-family: 'courier new', courier, monospace;">hxxp://onialisati[.]com/deamie/ovidel.php?l=brelry2.cab</span></li> <li>File description: Example of Windows EXE retrieved by Word macro – an installer for Ursnif</li> </ul> <p>Note how the URL from the above example ends in <span style="font-family: 'courier new', courier, monospace;">.cab</span>. This pattern was fairly consistent for URLs generated by macros from TA551 Word docs until late October 2020.</p> <p>Figure 11 shows an email from this campaign dated Dec. 17, 2019. It targeted a Japanese-speaking recipient and pushed Ursnif malware.</p> <figure id="attachment_116632" aria-describedby="caption-attachment-116632" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116632 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-25.jpeg" alt="TA551 malspam from December 2019 includes extracted document name: info_12_18.doc" width="900" height="610" /><figcaption id="caption-attachment-116632" class="wp-caption-text">Figure 11. Example of TA551 malspam from December 2019.</figcaption></figure> <p>The following files are associated with the above example:</p> <ul> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">3b28f3b1b589c9a92940999000aa4a01048f2370d03c4da0045aabf61f9e4bb6</span></li> <li>File size: 101,528 bytes</li> <li>File name: <span style="font-family: 'courier new', courier, monospace;">info_12_18.doc</span></li> <li>File description: Word doc with macro for Ursnif</li> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">3a22d206858773b45b56fc53bed5ee4bb8982bb1147aad9c2a7c57ef6c099512</span></li> <li>File size: 1,650,176 bytes</li> <li>File location: <span style="font-family: 'courier new', courier, monospace;">hxxp://vestcheasy[.]com/koorsh/soogar.php?l=weecum5.cab</span></li> <li>File description: Example of Windows EXE retrieved by Word macro – an installer for Ursnif</li> </ul> <p>Note that Ursnif-infected hosts <a href="https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/">occasionally retrieve follow-up malware</a>. For example, on Dec. 19, 2019, a Windows host infected with Ursnif by way of TA551 was also <a href="https://www.malware-traffic-analysis.net/2019/12/19/index.html">infected with IcedID and Valak</a> as follow-up malware.</p> <h2>TA551 in 2020</h2> <p>Figure 12 shows an email from TA551 dated March 26, 2020. It targeted a German-speaking recipient and <a href="https://www.malware-traffic-analysis.net/2020/03/26/index.html">pushed ZLoader (Silent Night) malware</a>.</p> <figure id="attachment_116634" aria-describedby="caption-attachment-116634" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116634 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-26.jpeg" alt="TA551 malspam from March 2020 includes extracted document name: information_03.26.doc" width="900" height="571" /><figcaption id="caption-attachment-116634" class="wp-caption-text">Figure 12. Example of TA551 malspam from March 2020.</figcaption></figure> <p>The following files are associated with the above example:</p> <ul> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">62ecc8950e8be104e250304fdc32748fcadaeaa677f7c066be1baa17f940eda8</span></li> <li>File size: 127,757 bytes</li> <li>File name: <span style="font-family: 'courier new', courier, monospace;">information_03.26.doc</span></li> <li>File description: Word doc with macro for ZLoader (Silent Night)</li> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">9b281a8220a6098fefe1abd6de4fc126fddfa4f08ed1b90d15c9e0514d77e166</span></li> <li>File size: 486,400 bytes</li> <li>File location: <span style="font-family: 'courier new', courier, monospace;">hxxp://x0fopmxsq5y2oqud[.]com/kundru/targen.php?l=swep7.cab</span></li> <li>File description: Windows DLL for ZLoader retrieved by Word macro</li> </ul> <p>Figure 13 shows an email from this campaign dated April 28, 2020. It targeted an English-speaking recipient and pushed Valak malware.</p> <figure id="attachment_116636" aria-describedby="caption-attachment-116636" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116636 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-27.jpeg" alt="TA551 malspam from April 2020 includes document names such as: docs,04.20.doc, inquiry_04.20.doc, files 04.28.2020.doc, legal paper,04.20.doc, certificate,04.28.2020.doc, specifics-04.20.doc" width="900" height="574" /><figcaption id="caption-attachment-116636" class="wp-caption-text">Figure 13. Example of TA551 malspam from April 2020.</figcaption></figure> <p>The following files are associated with the above example:</p> <ul> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">bd58160966981dd4b04af8530e3320edbddfc2b83a82b47a76f347d0fb4ca93a</span></li> <li>File size: 61,233 bytes</li> <li>File name: <span style="font-family: 'courier new', courier, monospace;">docs,04.20.doc</span></li> <li>File description: Word doc with macro for Valak</li> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">9ce4835ef1842b7407b3c8777a6495ceb1b69dac0c13f7059c2fec1b2c209cb1</span></li> <li>File size: 418,816 bytes</li> <li>File location: <span style="font-family: 'courier new', courier, monospace;">hxxp://qut6oga5219bf00e[.]com/we20lo85/aio0i32p.php?l=nok4.cab</span></li> <li>File description: Example of Windows DLL retrieved by Word macro -- an installer for Valak</li> </ul> <p>At this point, the document names had changed format. This is when we started seeing several different names for the extracted Word documents from each day of attack.</p> <p>Figure 14 shows an email from this campaign dated May 22, 2020. It targeted an English-speaking recipient and pushed Valak malware.</p> <figure id="attachment_116638" aria-describedby="caption-attachment-116638" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116638 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-28.jpeg" alt="Malspam from May 2020 includes document names such as: input_05.20.doc, document_05.20.doc, deed contract 05.20.doc, contract_05.22.2020.doc, prescribe-05.22.2020.doc, command-05.22.2020.doc" width="900" height="571" /><figcaption id="caption-attachment-116638" class="wp-caption-text">Figure 14. Example of TA551 malspam from May 2020.</figcaption></figure> <p>The following files are associated with the above example:</p> <ul> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">3562023ab563fc12d17981a1328f22a3d3e4c358535b9a0c28173a6e4ad869ba</span></li> <li>File size: 74,338 bytes</li> <li>File name: <span style="font-family: 'courier new', courier, monospace;">file_05.20.doc</span></li> <li>File description: Word doc with macro for Valak</li> <li>SHA256 hash: <span style="font-family: 'courier new', courier, monospace;">4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a</span></li> <li>File size: 184,832 bytes</li> <li>File location: <span style="font-family: 'courier new', courier, monospace;">hxxp://s6oo5atdgmtceep8on[.]com/urvave/cennc.php?l=haao1.cab</span></li> <li>File description: Example of Windows DLL retrieved by Word macro -- an installer for Valak</li> </ul> <p>By this time, the password format for ZIP attachments changed to three digits followed by two letters, and the template style had also been updated.</p> <p>We continued to see Valak pushed by TA551 through <a href="https://www.malware-traffic-analysis.net/2020/07/01/index.html">early July 2020</a>. Of note, Valak is a malware downloader, and we frequently saw IcedID as follow-up malware from these infections.</p> <p>However, by mid-July 2020, TA551 started pushing IcedID directly from the Word document macros.</p> <h2>Recent Developments</h2> <p>In recent weeks, TA551 has changed traffic patterns. For several months prior to <a href="https://github.com/pan-unit42/iocs/blob/master/TA551/2020-10-19-TA551-IOCs-for-IcedID.txt">Oct. 19, 2020</a>, URLs generated by Word macros to retrieve installer binaries followed a noticeable pattern. This pattern includes:</p> <ul> <li><span style="font-family: 'courier new', courier, monospace;">.php?l</span>= in the URL path</li> <li>URLs end with <span style="font-family: 'courier new', courier, monospace;">.cab</span></li> </ul> <p>Since <a href="https://github.com/pan-unit42/iocs/blob/master/TA551/2020-10-20-TA551-IOCs-for-IcedID.txt">Oct. 20, 2020</a>, these patterns have changed dramatically. Table 1 shows the changes starting in October.</p> <p>&nbsp;</p> <table style="width: 99.6395%; height: 689px;"> <tbody> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">Date</td> <td style="width: 142.307%; height: 53px;">URL example</td> </tr> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">2020-10-14</td> <td style="width: 142.307%; height: 53px;"><span style="font-family: 'courier new', courier, monospace;">GET /docat/hyra.php?l=dybe18.cab</span></td> </tr> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">2020-10-16</td> <td style="width: 142.307%; height: 53px;"><span style="font-family: 'courier new', courier, monospace;">GET /muty/sohaq.php?l=tali18.cab</span></td> </tr> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">2020-10-19</td> <td style="width: 142.307%; height: 53px;"><span style="font-family: 'courier new', courier, monospace;">GET /biwe_zibofyra/ripy_lani.php?l=qedux18.cab</span></td> </tr> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">2020-10-20</td> <td style="width: 142.307%; height: 53px;"><span style="font-family: 'courier new', courier, monospace;">GET /_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon4.ppt&amp;lhe=hcqjvtfezhsogtrdxdfs</span></td> </tr> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">2020-10-27</td> <td style="width: 142.307%; height: 53px;"><span style="font-family: 'courier new', courier, monospace;">GET /update/qqOQccpolFmwCmTnTmURcfZPByI_lqzPNvPfTfvLQjqdJtpOYeWT/WRFlVYjJTKqWAf_KhCjsSselY/tbqxj12</span></td> </tr> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">2020-10-28</td> <td style="width: 142.307%; height: 53px;"><span style="font-family: 'courier new', courier, monospace;">GET /update/djMqKxc_BZCF_BJlRmjKmdcihghiSj/wJuzcnBhc/MD/qE_ZWFKbwfWZMCCWgfHU_DNxAcBRlHncRHr/csyj9</span></td> </tr> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">2020-10-29</td> <td style="width: 142.307%; height: 53px;"><span style="font-family: 'courier new', courier, monospace;">GET /update/XTZrbyvClXzcfZcJGZSmDWBthSBXjRKw/chti6</span></td> </tr> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">2020-11-03</td> <td style="width: 142.307%; height: 53px;"><span style="font-family: 'courier new', courier, monospace;">GET /update/VvZWoYOIotoWV_KUywQtEUVUPjvNYMYYnLnvWWOLA/fZcXYRwGyzMRZcvzHZrDe/gzlov4</span></td> </tr> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">2020-11-04</td> <td style="width: 142.307%; height: 53px;"><span style="font-family: 'courier new', courier, monospace;">GET /update/JvYqBVMJCxSDX/nNBk/XhEfjPMvaV_dDFlXqGZNCDTLhTXlPWxEsGjTdzfQBUZCvkBqWOgjo/xrei12</span></td> </tr> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">2020-11-05</td> <td style="width: 142.307%; height: 53px;"><span style="font-family: 'courier new', courier, monospace;">GET /update/jcja/yCGHnwRmyMVTeCqljgln/JTHBIgVESrNVdrgJMGGNdiqqGxCNACjXDBjkMJKFPKvJNYXFVbcxYvbS/iuyala13</span></td> </tr> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">2020-11-19</td> <td style="width: 142.307%; height: 53px;"><span style="font-family: 'courier new', courier, monospace;">GET /share/ZSzE0sjR23GkF3VwZi_nqFH2B5lqPUVKxwNC/ahtap3</span></td> </tr> <tr style="height: 53px;"> <td style="width: 13.7678%; height: 53px;">2020-11-24</td> <td style="width: 142.307%; height: 53px;"><span style="font-family: 'courier new', courier, monospace;">GET /share/kvNqzh1tF4Y8zyxtL/HQpK6K42Wr8SP9PLJSqxc5h/ROwPcKsG/dbULREqlb1Kj0_RRT/Dfnj/lxnt10</span></td> </tr> </tbody> </table> <p style="text-align: center;"><a id="post-116579-_gjdgxs"></a><span style="font-size: 12pt;">^{<span style="color: #999999;"><em>Table 1. URL patterns generated by macros from Word docs distributed by TA551.</em></span>}</span></p> <p>By Oct. 27, 2020, URLs generated by TA551 macros include English terms like <span style="font-family: 'courier new', courier, monospace;">update</span> or <span style="font-family: 'courier new', courier, monospace;">share</span> at the beginning of the HTTP GET request. These URLs end with a series of four to six lowercase English letters followed by a number as low as <span style="font-family: 'courier new', courier, monospace;">1</span> to as high as <span style="font-family: 'courier new', courier, monospace;">18</span>. These URLs are not consistent in length, and they can be very short or very long.</p> <p>Since November 2020, we have also noticed <a href="https://twitter.com/malware_traffic/status/1329298956162129922">minor changes in artifacts generated during IcedID infections</a>, including those outside of the TA551 campaign.</p> <p>For example, through early November 2020, IcedID DLLs created by installer DLLs were initially saved to the victim’s <span style="font-family: 'courier new', courier, monospace;">AppData\Local\Temp</span> directory, and the file name started with a tilde (<span style="font-family: 'courier new', courier, monospace;">~</span>) and ended with <span style="font-family: 'courier new', courier, monospace;">.dll</span> as illustrated earlier in Figure 6. In November 2020, we started to see a change: the initial IcedID DLLs saved to the victim’s <span style="font-family: 'courier new', courier, monospace;">AppData\Local</span> directory with a file name ending in <span style="font-family: 'courier new', courier, monospace;">.dat</span> as shown in Figure 15.</p> <figure id="attachment_116640" aria-describedby="caption-attachment-116640" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116640 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/01/word-image-29.jpeg" alt="In Nov. 24, 2020, artifacts from an IcedID infection included files and directories such as: initial IcedID DLL, persistent IcedID DLL, PNG image with encoded data used to create initial IcedID DLL, installer DLL retrieved by Word macro, PNG image with encoded data seen after initial IcedID is run. Red arrows indicate these files and directories in the screenshot. " width="900" height="486" /><figcaption id="caption-attachment-116640" class="wp-caption-text">Figure 15. Artifacts seen from a TA551 IcedID infection on Nov. 24, 2020.</figcaption></figure> <p>These changes may be an effort by malware developers to evade detection. At the very least, they might confuse someone conducting forensic analysis on an infected host.</p> <p>Such changes are commonly seen in malware families as they evolve over time. We can expect to see more changes with IcedID malware and the TA551 campaign during the coming months.</p> <p>Finally, the run method for installer DLLs retrieved by TA551 Word macros changed during November 2020:</p> <ul> <li>Old method: <span style="font-family: 'courier new', courier, monospace;">regsvr32.exe</span> <em>[installer DLL filename]</em></li> <li>New method: <span style="font-family: 'courier new', courier, monospace;">rundll32.exe</span> <em>[installer DLL filename]</em>,<span style="font-family: 'courier new', courier, monospace;">ShowDialogA -r</span></li> </ul> <p><span style="font-weight: 400;">However, up-to-date information is necessary to ensure proper detection for a constantly-evolving campaign like TA551.</span></p> <h2>Conclusion</h2> <p>TA551 has evolved since we last reviewed this threat actor <a href="https://unit42.paloaltonetworks.com/valak-evolution/">deploying Valak malware in July 2020</a>. We frequently saw IcedID as follow-up malware in previous months from Valak and Ursnif infections installed by TA551. This threat actor appears to have eliminated malware downloaders like Valak and Ursnif and is now deploying IcedID directly.</p> <p>Although TA551 has settled on IcedID as its malware payload, we continue to see changes in traffic patterns and infection artifacts as this campaign evolves.</p> <p>Organizations with adequate spam filtering, proper system administration and up-to-date Windows hosts have a much lower risk of infection. Palo Alto Networks Next-Generation Firewall customers are further protected from this threat with the Threat Prevention security subscription, which detects the malware. AutoFocus customers can track this activity using the TA551 and IcedID tags.</p> <h2>Indicators of Compromise</h2> <p><a href="https://github.com/pan-unit42/iocs/tree/master/TA551">This GitHub repository</a> currently has more than 50 text files containing various indicators associated with TA551 from mid-July 2020-November 2020. <span style="font-weight: 400;">Each text file represents a specific day the campaign was active, and it contains SHA256 hashes, document names, associated URLs and other related data, some of which we’ve also shared through our Twitter handle </span><a href="https://twitter.com/Unit42_Intel"><span style="font-weight: 400;">@Unit42_Intel</span></a><span style="font-weight: 400;">.</span></p> </div> <!--<span class="post__date">Updated 6 June, 2024 at 7:11 AM PDT</span>--> <button class="l-btn back-to-top" id="backToTop" data-page-track="true" data-page-track-value="ta551-shathak-icedid:back to top">Back to top</button> <div class="be__tags-wrapper"> <h3>Tags</h3><ul role="list"><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/icedid/" role="link" title="IcedID" data-page-track="true" data-page-track-value="ta551-shathak-icedid:tags:IcedID">IcedID</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/shathak/" role="link" title="Shathak" data-page-track="true" data-page-track-value="ta551-shathak-icedid:tags:Shathak">Shathak</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/ta551/" role="link" title="TA551" data-page-track="true" data-page-track-value="ta551-shathak-icedid:tags:TA551">TA551</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/ursnif/" role="link" title="Ursnif" data-page-track="true" data-page-track-value="ta551-shathak-icedid:tags:Ursnif">Ursnif</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/valak/" role="link" title="Valak" data-page-track="true" data-page-track-value="ta551-shathak-icedid:tags:Valak">Valak</a></li></ul> </div> <div class="be__post-nav"> <a class="prev" href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="ta551-shathak-icedid:article-nav:Threat Research Center"> <span>Threat Research Center</span> </a> <a class="next" href="https://unit42.paloaltonetworks.com/dns-vulnerabilities/" role="link" title="The History of DNS Vulnerabilities and the Cloud" data-page-track="true" data-page-track-value="ta551-shathak-icedid:article-nav:The History of DNS Vulnerabilities and the Cloud"> <span>Next: The History of DNS Vulnerabilities and the Cloud</span> </a> </div> </div> <div class="be__nav"> <div class="be__nav-wrapper"> <div class="be-table-of-contents" data-toc-track="ta551-shathak-icedid:sidebar:table-of-contents"> <div class="be-title__wrapper"> <h3>Table of Contents</h3> </div> <ul> <li></li> </ul> </div> <div class="be-related-articles"> <h3>Related Articles</h3> <ul> <li> <a href="https://unit42.paloaltonetworks.com/lightweight-directory-access-protocol-based-attacks/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="ta551-shathak-icedid:sidebar:related-articles:LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory"> LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="ta551-shathak-icedid:sidebar:related-articles:No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection"> No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="ta551-shathak-icedid:sidebar:related-articles:From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence"> From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence </a> </li> </ul> </div> </div> </div> </div> </div> <div class="pa related-threat"> <div class="l-container"> <h2>Related Malware Resources</h2> <div class="blog-slider" id="blogSlider"> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/03_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of macOS infostealers. Laptop on a desk displaying advanced cybersecurity software interface with vibrant red graphics, in a dimly lit room." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/03_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/03_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/03_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/03_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/03_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Stealers on the Rise: A Closer Look at a Growing macOS Threat:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2025-02-04T11:00:12+00:00">February 4, 2025</time></span> <a href="https://unit42.paloaltonetworks.com/macos-stealers-growing/" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Stealers on the Rise: A Closer Look at a Growing macOS Threat"> <h4 class="post-title">Stealers on the Rise: A Closer Look at a Growing macOS Threat</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/macos/" title="macOS" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Stealers on the Rise: A Closer Look at a Growing macOS Threat:macOS">MacOS</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/infostealer/" title="Infostealer" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Stealers on the Rise: A Closer Look at a Growing macOS Threat:Infostealer">Infostealer</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/macos-stealers-growing/" title="Stealers on the Rise: A Closer Look at a Growing macOS Threat" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Stealers on the Rise: A Closer Look at a Growing macOS Threat:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/14_Overview_1920x900-786x368.jpg" class="lozad" alt="Digital representation of jailbreaking DeepSeek. A dynamic, multicolored wave pattern with luminous particles, set against a dark background." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/14_Overview_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/14_Overview_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/14_Overview_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/14_Overview_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/14_Overview_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2025-01-30T21:30:36+00:00">January 30, 2025</time></span> <a href="https://unit42.paloaltonetworks.com/jailbreaking-deepseek-three-techniques/" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek"> <h4 class="post-title">Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/llm/" title="LLM" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek:LLM">LLM</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/jailbroken/" title="jailbroken" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek:jailbroken">Jailbroken</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/genai/" title="GenAI" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek:GenAI">GenAI</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/jailbreaking-deepseek-three-techniques/" title="Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/01_Hactivism_Overview_1920x900-786x368.jpg" class="lozad" alt="A pictorial representation of an espionage operation against high-value targets in South Asia. Digital artwork featuring an abstract blend of vibrant blue, pink, and black colors with fragments of HTML code visible, creating a dynamic and modern visual effect against a glitch effect photo of someone typing on a keyboard." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/01_Hactivism_Overview_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/01_Hactivism_Overview_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/01_Hactivism_Overview_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/01_Hactivism_Overview_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2025/01/01_Hactivism_Overview_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2025-01-29T23:00:17+00:00">January 29, 2025</time></span> <a href="https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia"> <h4 class="post-title">CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/china/" title="China" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia:China">China</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/cobalt-strike/" title="Cobalt Strike" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia:Cobalt Strike">Cobalt Strike</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/mimikatz/" title="Mimikatz" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia:Mimikatz">Mimikatz</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/" title="CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/13_Security-Technology_Category_1920x900-786x368.jpg" class="lozad" alt="A pictorial representation of a jailbreaking technique. Abstract digital tunnel with glowing blue lights and intricate patterns, representing data or technology." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/13_Security-Technology_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/13_Security-Technology_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/13_Security-Technology_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/13_Security-Technology_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/13_Security-Technology_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-12-31T23:00:16+00:00">December 31, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/multi-turn-technique-jailbreaks-llms/" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability"> <h4 class="post-title">Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/genai/" title="GenAI" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability:GenAI">GenAI</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/prompt-injection/" title="prompt injection" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability:prompt injection">Prompt injection</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/jailbroken/" title="jailbroken" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability:jailbroken">Jailbroken</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/multi-turn-technique-jailbreaks-llms/" title="Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/04_Tutorial_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of using LLMs to obfuscate malicious JavaScript detection. A man wearing glasses, looking intently at a screen with reflections visible in the glasses of computer code." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/04_Tutorial_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/04_Tutorial_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/04_Tutorial_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/04_Tutorial_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/04_Tutorial_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-12-20T11:00:39+00:00">December 20, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript"> <h4 class="post-title">Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/credential-stealer/" title="credential stealer" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript:credential stealer">Credential stealer</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/data-augmentation/" title="Data Augmentation" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript:Data Augmentation">Data Augmentation</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/fraudgpt/" title="FraudGPT" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript:FraudGPT">FraudGPT</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/" title="Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/02_Vulnerabilities_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of attackers leveraging Active Directory or LDAP. Close-up view of a server rack panel with illuminated lights and a digital display reading &#039;SYSTEM HACKED&#039;." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/02_Vulnerabilities_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/02_Vulnerabilities_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/02_Vulnerabilities_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/02_Vulnerabilities_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/02_Vulnerabilities_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-12-17T23:00:43+00:00">December 17, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/lightweight-directory-access-protocol-based-attacks/" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory"> <h4 class="post-title">LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/stately-taurus/" title="Stately Taurus" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory:Stately Taurus">Stately Taurus</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/alphv/" title="ALPHV" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory:ALPHV">ALPHV</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/lightweight-directory-access-protocol-based-attacks/" title="LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/03_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of HeartCrypt. A laptop on a desk displaying a vivid graphical interface with cyber security and data analytics themes, illuminated by red ambient lighting." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/03_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/03_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/03_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/03_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/03_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-12-13T23:00:21+00:00">December 13, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation"> <h4 class="post-title">Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/redline-infostealer/" title="Redline infostealer" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation:Redline infostealer">Redline infostealer</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/lumma-stealer/" title="Lumma Stealer" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation:Lumma Stealer">Lumma Stealer</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/remcos/" title="Remcos" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation:Remcos">Remcos</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/" title="Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Vulnerabilities_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of suspicious registration scam campaigns. Close-up image of a glowing red WiFi connectivity symbol on a textured black surface, symbolizing digital security technology." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Vulnerabilities_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Vulnerabilities_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Vulnerabilities_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Vulnerabilities_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Vulnerabilities_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-12-06T23:00:40+00:00">December 6, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/suspicious-domain-registration-campaigns/" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams"> <h4 class="post-title">Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/network-scanning/" title="network scanning" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams:network scanning">Network scanning</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/cybersquatting/" title="cybersquatting" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams:cybersquatting">Cybersquatting</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/chatgpt/" title="ChatGPT" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams:ChatGPT">ChatGPT</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/suspicious-domain-registration-campaigns/" title="Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-786x368.jpg" class="lozad" alt="Close-up of a person wearing glasses, reflecting computer code on the lens." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-22T11:00:26+00:00">November 22, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples"> <h4 class="post-title">Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/remote-code-execution/" title="Remote Code Execution" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Remote Code Execution">Remote Code Execution</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Python">Python</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/macos/" title="macOS" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:macOS">MacOS</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/" title="Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of FrostyGoop malware. Close-up view of a digital screen displaying a pixelated, abstract image, possibly representing a face." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-19T11:00:15+00:00">November 19, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications"> <h4 class="post-title">FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/bustleberm/" title="BUSTLEBERM" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:BUSTLEBERM">BUSTLEBERM</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/frostygoop/" title="FrostyGoop" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:FrostyGoop">FrostyGoop</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/go/" title="Go" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:Go">Go</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" title="FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications" role="link" data-page-track="true" data-page-track-value="ta551-shathak-icedid:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> </div> </div> <div class="l-container bs__controls"> <div class="bs__progress"><span></span></div> <div class="bs__navigation"> <ul> <li> <button id="prevButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> <li> <button id="nextButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> </ul> </div> </div> </div> <div class="be-enlarge-modal" id="enlargedModal"> <div class="be-enlarge-modal__wrapper"> <figure> <button class="close__modal" id="closeModal"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"></button> <img class="be__enlarged-image" id="enlargedImage" src="" alt="Enlarged Image"> <figcaption> </figcaption> </figure> </div> </div> </div> </section> </main> <!-- Start: Footer subscription form --> <div class="newsletter"> <div class="l-container"> <div class="newsletter__wrapper"> <div class="image__wrapper"> <picture> <source class="lozad" media="(max-width:400px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-mobile.webp"> <source class="lozad" media="(max-width:949px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-tab.webp"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/Revitalized_newsletter-Image-desktop-copy-1.webp" alt="Newsletter"> </picture> </div> <div class="content__wrapper"> <span class="pre-title"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/palo-alto-logo-small.svg" alt="UNIT 42 Small Logo"> Get updates from Unit 42 </span> <h2>Peace of mind comes from staying ahead of threats. Contact us today.</h2> <form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form"> <input type="hidden" name="emailFormMask" value=""> <input type="hidden" value="1086" name="formid"> <input type="hidden" value="531-OCS-018" name="munchkinId"> <input type="hidden" value="2141" name="lpId"> <input type="hidden" value="1203" name="programId"> <input type="hidden" value="1086" name="formVid"> <input type="hidden" name="mkto_optinunit42" value="true"> <input type="hidden" name="mkto_opt-in" value="true"> <div class="form-group"> <label for="newsletter-email" id="newsletter-email-label">Your Email</label> <input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label"> <p class="error-mail mb-15 text-danger" style="color: #dc3545"></p> <p>Subscribe for email updates to all Unit 42 threat research.<br />By submitting this form, you agree to our <a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and acknowledge our <a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p> <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div> <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p> <button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow" class="arrow"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader"> </button> <div class="form-success-message"></div> </div> </form> </div> </div> </div> </div> <script> (function($) { // Migrated from the unit42-v5 + Modifications var subscribeSuccess = false; var email = document.getElementById('newsletter-email'); var subscription_form = document.getElementById('unit42footerSubscription_form'); var subscription_form_button = document.getElementById('unit42footerSubscription_form_button'); window.captchaComplete = function() { subscribeSuccess = true; if ($(mail).val() != '' && isEmail($(mail).val())) { $(subscription_form_button).removeClass('is-disabled'); } setTimeout(function() { $(email).focus(); $('.g-recaptcha iframe').attr('tabindex', '-1'); }, 100) } window.captchaExpires = function() { subscribeSuccess = false; $(subscription_form_button).addClass('is-disabled', true); } $(subscription_form).submit(function(e) { e.preventDefault(); e.stopImmediatePropagation(); updateEmailMask(); var success = true; var form = $(this); var mail = form.find('input[name="Email"]'); if (mail.val() === '') { mail.addClass('has-error'); showError(1); success = false; } else if (!isEmail(mail.val())){ showError(2); success = false; } else { mail.removeClass('has-error'); $('.error-mail').addClass('d-none'); } if (!subscribeSuccess) { $('.error-recaptcha').removeClass('d-none'); } else { $('.error-recaptcha').addClass('d-none'); } if (success && subscribeSuccess) { $.ajax({ type: 'POST', url: form.attr('action'), data: form.serialize(), beforeSend: function() { form.find('button').addClass('is-loading'); }, success: function(msg) { form.find('.form-success-message').html('<p class="success-message">You have been successfully subscribed</p>'); form.find('button').removeClass('is-loading'); $(email).val(''); clearError(); }, error: function(jqXHR, textStatus, errorThrown) { $(subscription_form_button).addClass('is-disabled', true); form.find('button').removeClass('is-loading'); } }); } return false; }); function showError(error_type){ if(error_type == 1) { $('.error-mail').text("Please enter the email address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } else if(error_type == 2){ $('.error-mail').text("Please provide a valid e-mail address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } $(subscription_form_button).removeClass('is-loading'); } function clearError(){ $('.error-mail').text("").removeClass('error-show');; $(subscription_form_button).removeClass('is-loading'); $(subscription_form_button).removeClass('is-disabled'); } $(email).on('input', function (event) { var email = $(this).val(); if (isEmail(email) ) { clearError(); } else if(email == ""){ clearError(); } else{ showError(2); } }); function isEmail(email) { var re = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/; return re.test(String(email).toLowerCase()); } var captcha_loaded = false; if(!captcha_loaded){ // recaptcha on foucs call $(document).on('change paste keyup', '#newsletter-email', function () { if($('.g-recaptcha').hasClass('d-none')){ $('.g-recaptcha').removeClass('d-none'); } if(!captcha_loaded ){ captcha_loaded = true; // trigger loading api.js (recaptcha.js) script var head = document.getElementsByTagName('head')[0]; var script = document.createElement('script'); script.type = 'text/javascript'; script.src = 'https://www.google.com/recaptcha/api.js?hl=en_US'; head.appendChild(script); } }); } function updateEmailMask() { var email = $("#unit42footerSubscription_form input[name='Email']").val(); if (email && email.trim() != '') { var maskedEmail = maskEmailAddress(email); $("#unit42footerSubscription_form input[name='emailFormMask']").val(maskedEmail); } } function maskEmailAddress (emailAddress) { function mask(str) { var strLen = str.length; if (strLen > 4) { return str.substr(0, 1) + str.substr(1, strLen - 1).replace(/\w/g, '*') + str.substr(-1,1); } return str.replace(/\w/g, '*'); } return emailAddress.replace(/([\w.]+)@([\w.]+)(\.[\w.]+)/g, function (m, p1, p2, p3) { return mask(p1) + '@' + mask(p2) + p3; }); return emailAddress; } }(jQuery)); //# sourceMappingURL=main.js.map </script> <!-- End: Footer subscription form --> <footer class="footer"> <div class="footer-menu"> <div class="l-container"> <div class="footer-menu__wrapper"> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Products and services</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security" role="link" title="Network Security Platform" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform">Network Security Platform</a> </li> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/security-subscriptions" role="link" title="CLOUD DELIVERED SECURITY SERVICES" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES">CLOUD DELIVERED SECURITY SERVICES</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-threat-prevention" target=_blank role="link" title="Advanced Threat Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention">Advanced Threat Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-dns-security" role="link" title="DNS Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security">DNS Security</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-data-loss-prevention" role="link" title="Data Loss Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention">Data Loss Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-iot-security" role="link" title="IoT Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security">IoT Security</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall" role="link" title="Next-Generation Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls">Next-Generation Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall-hardware" role="link" title="Hardware Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls">Hardware Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/strata-cloud-manager" role="link" title="Strata Cloud Manager" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager">Strata Cloud Manager</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/sase" role="link" title="SECURE ACCESS SERVICE EDGE" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE">SECURE ACCESS SERVICE EDGE</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/access" role="link" title="Prisma Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access">Prisma Access</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/sd-wan" role="link" title="Prisma SD-WAN" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN">Prisma SD-WAN</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/adem" role="link" title="Autonomous Digital Experience Management" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management">Autonomous Digital Experience Management</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/next-gen-casb" role="link" title="Cloud Access Security Broker" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker">Cloud Access Security Broker</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/ztna" role="link" title="Zero Trust Network Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker:Zero Trust Network Access">Zero Trust Network Access</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/cortex/cloud" role="link" title="Cloud Security" data-page-track="true" data-page-track-value="footer:Products and services:Cloud Security">Cloud Security</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cloud" role="link" title="Cortex Cloud" data-page-track="true" data-page-track-value="footer:Products and services:Cloud Security:Cortex Cloud">Cortex Cloud</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/prisma/cloud" role="link" title="Prisma Cloud" data-page-track="true" data-page-track-value="footer:Products and services:Cloud Security:Cortex Cloud:Prisma Cloud">Prisma Cloud</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/cortex" target=_blank role="link" title="AI-Driven Security Operations Platform" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform">AI-Driven Security Operations Platform</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xdr" role="link" title="Cortex XDR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR">Cortex XDR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsoar" role="link" title="Cortex XSOAR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR">Cortex XSOAR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse" role="link" title="Cortex Xpanse" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse">Cortex Xpanse</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsiam" role="link" title="Cortex XSIAM" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM">Cortex XSIAM</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management" role="link" title="External Attack Surface Protection" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection">External Attack Surface Protection</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/security-operations-automation" role="link" title="Security Automation" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation">Security Automation</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/detection-and-response" role="link" title="Threat Prevention, Detection &amp; Response" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation:Threat Prevention, Detection &amp; Response">Threat Prevention, Detection &amp; Response</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/unit42" role="link" title="Threat Intel and Incident Response Services" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services">Threat Intel and Incident Response Services</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/assess" role="link" title="Proactive Assessments" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments">Proactive Assessments</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/respond" role="link" title="Incident Response" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response">Incident Response</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/transform" role="link" title="Transform Your Security Strategy" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy">Transform Your Security Strategy</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/threat-intelligence-partners" role="link" title="Discover Threat Intelligence" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy:Discover Threat Intelligence">Discover Threat Intelligence</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Company</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us" role="link" title="About Us" data-page-track="true" data-page-track-value="footer:Company:About Us">About Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://jobs.paloaltonetworks.com/en/" role="link" title="Careers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers">Careers</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/contact-sales" role="link" title="Contact Us" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us">Contact Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/corporate-responsibility" role="link" title="Corporate Responsibility" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility">Corporate Responsibility</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/customers" role="link" title="Customers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers">Customers</a> </li> <li class="footer-menu-nav__item "> <a href="https://investors.paloaltonetworks.com/" target=_blank role="link" title="Investor Relations" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations">Investor Relations</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/locations" role="link" title="Location" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location">Location</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/newsroom" role="link" title="Newsroom" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location:Newsroom">Newsroom</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Popular links</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/blog/" role="link" title="Blog" data-page-track="true" data-page-track-value="footer:Popular links:Blog">Blog</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/communities" role="link" title="Communities" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities">Communities</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/resources" role="link" title="Content Library" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library">Content Library</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cyberpedia" role="link" title="Cyberpedia" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia">Cyberpedia</a> </li> <li class="footer-menu-nav__item "> <a href="https://events.paloaltonetworks.com/" role="link" title="Event Center" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center">Event Center</a> </li> <li class="footer-menu-nav__item "> <a href="https://start.paloaltonetworks.com/preference-center" role="link" title="Manage Email Preferences" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences">Manage Email Preferences</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/products/products-a-z" role="link" title="Products A-Z" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z">Products A-Z</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center/tech-certs" role="link" title="Product Certifications" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications">Product Certifications</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/security-disclosure" role="link" title="Report a Vulnerability" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability">Report a Vulnerability</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sitemap" role="link" title="Sitemap" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap">Sitemap</a> </li> <li class="footer-menu-nav__item "> <a href="https://docs.paloaltonetworks.com/" role="link" title="Tech Docs" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs">Tech Docs</a> </li> <li class="footer-menu-nav__item "> <a href="https://unit42.paloaltonetworks.com/" role="link" title="Unit 42" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42">Unit 42</a> </li> <li class="footer-menu-nav__item do-not-sell-link"> <a href="https://panwedd.exterro.net/portal/dsar.htm?target=panwedd" target=_blank role="link" title="Do Not Sell or Share My Personal Information" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42:Do Not Sell or Share My Personal Information">Do Not Sell or Share My Personal Information</a> </li> </ul> </nav> </div> </div> </div> </div> </div> </div> <div class="footer-bottom"> <div class="l-container"> <div class="footer-logo"> <a href="https://www.paloaltonetworks.com/" role="link" title="Footer Nav" data-page-track="true" data-page-track-value="footer:logo:Palo Alto Networks"> <img width="245" height="46" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/palo-alto-footer-logo.svg" class="attachment-medium size-medium" alt="" decoding="async" loading="lazy" /> </a> </div> <div class="footer-bottom__wrapper"> <div class="footer-bottom-nav"> <nav> <ul class="footer-menu-nav__list"> <li> <a href="https://www.paloaltonetworks.com/legal-notices/privacy" role="link" title="Privacy" data-page-track="true" data-page-track-value="footer:bottom-menu:Privacy">Privacy</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center" role="link" title="Trust Center" data-page-track="true" data-page-track-value="footer:bottom-menu:Trust Center">Trust Center</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" role="link" title="Terms of Use" data-page-track="true" data-page-track-value="footer:bottom-menu:Terms of Use">Terms of Use</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal" role="link" title="Documents" data-page-track="true" data-page-track-value="footer:bottom-menu:Documents">Documents</a> </li> </ul> </nav> <br/><span class="copyright">Copyright © 2025 Palo Alto Networks. All Rights Reserved</span> </div> <div class="footer-bottom-social"> <ul> <li> <a href="https://www.youtube.com/user/paloaltonetworks" target="_blank" role="link" title="YouTube" data-page-track="true" data-page-track-value="footer:social:Youtube"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/youtube-black.svg" alt="YouTube"> </a> </li> <li> <a href="https://twitter.com/Unit42_Intel" target="_blank" role="link" title="X" data-page-track="true" data-page-track-value="footer:social::Twitter"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/x-icon-black.svg" alt="Twitter"> </a> </li> <li> <a href="https://www.facebook.com/PaloAltoNetworks/" target="_blank" role="link" title="Facebook" data-page-track="true" data-page-track-value="footer:social:Facebook"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/Facebook_Icon.svg" alt="Facebook"> </a> </li> <li> <a href="https://www.linkedin.com/company/palo-alto-networks" target="_blank" role="link" title="LinkedIn" data-page-track="true" data-page-track-value="footer:social:LinkedIn"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/LinkedIn_Icon.svg" alt="LinkedIn"> </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/" role="link" title="Podcast" data-page-track="true" data-page-track-value="footer:social:Podcast"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/Podcast.svg" alt="Podcast"> </a> </li> </ul> <div class="pa language-dropdown"> <div class="language-dropdown__wrapper"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/globe-icon.svg" alt="Globe icon"> <span id="selectedLanguage">EN</span> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"><ul><li class="title">Select your language</li> <li class="selected" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:en" href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/">USA (ENGLISH)</a> </li> <li class="non-active" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:ja" href="https://unit42.paloaltonetworks.jp/ta551-shathak-icedid/">JAPAN (日本語)</a> </li></ul> </div> </div> </div> </div> </footer> <div class="dd-overlay"> </div> <!-- Start: video modal --> <div class="modal video__modal" id="videoModal" tabindex="-1"> <div class="modal__video-wrapper"> <button class="modal__play-btn is-minimized is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <button class="modal__minimize-btn is-minimized"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> <button class="modal__close"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"> </button> <video class="modal__video" id="customVideo"> <source src="" type="video/mp4">Your browser does not support the video tag. </video> <div class="modal__post-details" tabindex="-1"> <h3>Default Heading</h3> <a class="l-btn" href="#" title="Right Arrow Icon" role="link" data-page-track="true" data-page-track-value="overview:explore reports:View all reports">Read the article <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow"> </a> </div> <div class="modal__video-controls"> <div class="modal__video-seekbar input__wrapper"><span></span> <label class="is-hidden" for="modalSeekBar">Seekbar</label> <input class="custom-range" id="modalSeekBar" type="range" min="0" max="100" value="1"> <p class="modal__remaining-time"></p> </div> <button class="modal__play-btn is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <div class="modal__volume-controls"> <div class="modal__volume__wrapper"> <button tabindex="0"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-volume.svg" alt="Volume"> </button> <div class="modal__volume-seekbar"><span></span> <label class="is-hidden" for="volumeBar">Volume</label> <input class="volume__bar" id="volumeBar" type="range" min="0" max="1" step="0.1" value="0.7"> </div> </div> <button class="modal__minimize-btn" id="minimizeBtn"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> </div> </div> </div> </div><!-- End: video modal --> <script type="text/javascript"> var isProcessing = false; function alter_ul_post_values(obj,post_id,ul_type){ if (isProcessing) return; isProcessing = true; var like_nonce = jQuery('#_wpnonce').val(); jQuery(obj).find("span").html(".."); jQuery.ajax({ type: "POST", url: "https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php", data: "post_id="+post_id+"&up_type="+ul_type+"&ul_nonce="+like_nonce, success: function(msg){ jQuery(obj).find("span").html(msg); isProcessing = false; jQuery(obj).find('svg').children('path').attr('stroke','#0050FF'); jQuery(obj).removeClass('idc_ul_cont_not_liked idc_ul_cont_not_liked_inner'); } }); } </script> <link rel='stylesheet' id='wpdevart_lightbox_front_end_css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/wpdevart_lightbox_front.css?ver=6.7.1' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/js/script.js?ver=1.0.0" id="unit42-v6-navigation-js"></script> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad' observer_lozad.observe(); function noSell(event) { event.preventDefault(); if (( typeof OneTrust != 'undefined') && (!!OneTrust)) { OneTrust.ToggleInfoDisplay(); }else{ var href = event.target.getAttribute('href'); window.open(href, '_blank'); } } window.PAN_Clean_Util = { isIE: false }; (function () { // INP Util Fix function yieldToMain(ms) { return new Promise(resolve => setTimeout(resolve, ms)); } window.PAN_Clean_Util.yieldToMain = yieldToMain })(); if(referer == "CloudCortex" || referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ var Coveo_organizationId = "paloaltonetworksintranet"; var techDocsPagePath = "https://docs.paloaltonetworks.com/search.html#hd=All%20Prisma%20Cloud%20Documentation&hq=%40panproductcategory%3D%3D(%22Prisma%20Cloud%22)&sort=relevancy&layout=card&numberOfResults=25"; var languageFromPath="en_US"; window.Granite = window.Granite || {}; Granite.I18n = (function() { var self = {}; self.setLocale = function(locale) { }; self.get = function(text, snippets, note) { var out = ""; if(text){ if(text ==="coveo.clear"){ out = "Clear"; }else if(text ==="coveo.noresultsfound"){ out = "No results found for this search term."; } } return out; }; return self }()); } var main_site_critical_top = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.js'; var main_site_defered = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.js'; var main_site_criticalTopBase = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopBase.min.js'; var main_site_criticalTopProductNav = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.js'; window.PAN_MainNavAsyncUrl = maindomain_lang+"/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html"; function loadScript(url, defer){ var script1 = document.createElement('script'); script1.setAttribute('type', 'text/javascript'); script1.setAttribute('src',url); if(defer == true){ script1.setAttribute('defer','defer'); } document.head.appendChild(script1); } function loadScript1(url, callback){ var script = document.createElement("script") script.type = "text/javascript"; if (script.readyState){ //IE script.onreadystatechange = function(){ if (script.readyState == "loaded" || script.readyState == "complete"){ script.onreadystatechange = null; callback(); } }; } else { //Others script.onload = function(){ callback(); }; } script.src = url; document.getElementsByTagName("head")[0].appendChild(script); } if(referer == "CloudCortex" || referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ if(referer == "Unit"){ setTimeout(function(){ loadScript(main_site_criticalTopBase, false); loadScript1(main_site_criticalTopProductNav, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } else{ setTimeout(function(){ loadScript1(main_site_critical_top, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } } $(document).ready(function () { setTimeout(function(){ $('.article-banner .ab__options ul li a').each(function(){ $(this).attr('target', "_blank"); }); }, 4000); $( ".do-not-sell-link a" ).on( "click", function( event ) { noSell(event); }); }); </script> <!-- End: Scripts Migrated From Unit42-v5 --> </body> </html>