New samples of Word documents from TA551 (Shathak) have been detected pushing malware. This actor was active until December pushing IcedID malware before going on break for the holidays. Now that it’s returned, TA551 has been pushing Qakbot (Qbot) malware instead of IcedID. Qakbot has been distributed in the wild since June 2020, followed by more campaigns in August, September and October. By mid December, 2020, Qakbot was persistent with its latest malspam campaigns. Current campaign is similar as the older ones, in its operational flow.
Once the malicious file is downloaded and macros have been enabled, Qakbot is installed on the compromised system and begins its post-infection activity.
The Qakbot-infected hosts start spamming more Qakbot, with a different affiliate/campaign ID for Qakbot samples. Because of this and its previous history pushing different families of malware, TA551 (Shathak) is believed to be a distributor for other criminals in the cyber threat landscape. The other criminals push malware (like the criminals behind Qakbot), while TA551 is specifically a distribution network.