Russian-language hacking group Shathak has been actively targeting healthcare, manufacturing, finance and energy sectors in the US, Europe and Japan.
Analysis by Outpost24 also found the group has been heavily engaged in phishing and malware campaigns using an attached password-protected zip file. This file contains a Microsoft Word document with a malware-installing macro.
A Mimecast threat analysis study of the group published in 2020 found that a document is automatically generated using Microsoft Office and when a user opens the document they are presented with a single page containing an image that is then used to prompt the user to enable macros.
If the document is open with macros enabled the embedded code within the document extracts and is able to load one of the malware applications used by Shathak.
The hacking gang operates in English, Italian, German and Japanese and works with malware strains Ursnif and Valak in its attacks. Ursnif is one of the most widely spread banking Trojans and Valak is a loader and information stealer designed to target individuals and enterprises.
The group goes by several other aliases including TA551, GOLD CABIN, Monster Libra, ATK236, and G0127. After the dismantling of the Emotet group at the start of 2021 the activities of another group, UNC2420, started to overlap with Shathak, the Outpost24 research says.
Shathak leveraging mailbox data
Shathak has been seen leveraging mailbox data taken from previously infected Windows set-ups and using that to carry out further spam campaigns. It then sends the email chain to all of the original senders and recipients along with an additional comment in the most recent message.
Until April 2020, the group used the Ursnif malware, later switching to Valak, which it was able to use as a loader to install the IcedID malware that let it carry out further malicious activities – mostly focused on profiting financially by stealing money.
IcedID malware has been seen installing ransomware tools including Maze and Egregor and it’s thought that Shathak is partnering with a number of ransomware gangs – acting as an initial access facilitator.
By June last year, it had stopped using IcedID in favour of another malware, TrickBot, then a month later switched to BazarLoader. The range of tools deployed suggests a link between Shathak and the TrickBot Group. “As a further step in the attack cycle, Shathak uses BazarLoader to install follow-up malware such as Cobalt Strike and Conti ransomware,” Outpost24 researchers found.
Shathak is one of a number of cybercrime groups working out of Russia including Killnet, which just last month took credit for an attack on Lockheed Martin, taking employee data from the US defence contractor.
The group has also claimed responsibility for a string of DDoS attacks against Baltic states and other Ukraine allies. Starting at the end of July, Lithuania’s National Cyber Security Centre (NKSC) warned of ongoing and intense DDoS attacks against the country’s National Data Transfer Network, as well as other governmental institutions and Lithuanian organisations.