View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 22, 2022

Russian-speaking hacking group Shathak targeting healthcare and manufacturing

Businesses around the world are in the crosshairs of a gang that uses a wide variety of malware.

By Ryan Morrison

Russian-language hacking group Shathak has been actively targeting healthcare, manufacturing, finance and energy sectors in the US, Europe and Japan.

Russian hacking group Shathak has been active since 2019 targeting finance and energy sectors around the world. (Photo by Andrew Angelov/Shutterstock)

Analysis by Outpost24 also found the group has been heavily engaged in phishing and malware campaigns using an attached password-protected zip file. This file contains a Microsoft Word document with a malware-installing macro.

A Mimecast threat analysis study of the group published in 2020 found that a document is automatically generated using Microsoft Office and when a user opens the document they are presented with a single page containing an image that is then used to prompt the user to enable macros.

If the document is open with macros enabled the embedded code within the document extracts and is able to load one of the malware applications used by Shathak.

The hacking gang operates in English, Italian, German and Japanese and works with malware strains Ursnif and Valak in its attacks. Ursnif is one of the most widely spread banking Trojans and Valak is a loader and information stealer designed to target individuals and enterprises.

The group goes by several other aliases including TA551, GOLD CABIN, Monster Libra, ATK236, and G0127. After the dismantling of the Emotet group at the start of 2021 the activities of another group, UNC2420, started to overlap with Shathak, the Outpost24 research says.

Shathak leveraging mailbox data

Shathak has been seen leveraging mailbox data taken from previously infected Windows set-ups and using that to carry out further spam campaigns. It then sends the email chain to all of the original senders and recipients along with an additional comment in the most recent message.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Until April 2020, the group used the Ursnif malware, later switching to Valak, which it was able to use as a loader to install the IcedID malware that let it carry out further malicious activities – mostly focused on profiting financially by stealing money.

IcedID malware has been seen installing ransomware tools including Maze and Egregor and it’s thought that Shathak is partnering with a number of ransomware gangs – acting as an initial access facilitator.

By June last year, it had stopped using IcedID in favour of another malware, TrickBot, then a month later switched to BazarLoader. The range of tools deployed suggests a link between Shathak and the TrickBot Group. “As a further step in the attack cycle, Shathak uses BazarLoader to install follow-up malware such as Cobalt Strike and Conti ransomware,” Outpost24 researchers found.

Shathak is one of a number of cybercrime groups working out of Russia including Killnet, which just last month took credit for an attack on Lockheed Martin, taking employee data from the US defence contractor.

The group has also claimed responsibility for a string of DDoS attacks against Baltic states and other Ukraine allies. Starting at the end of July, Lithuania’s National Cyber Security Centre (NKSC) warned of ongoing and intense DDoS attacks against the country’s National Data Transfer Network, as well as other governmental institutions and Lithuanian organisations.

Read more: State-backed Russian hackers target Microsoft

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.