VERY IMPORTANT

On Wednesday 2021-10-20, Proofpoint reported the TA551 (Shathak) campaign started pushing malware based on Sliver. Sliver is a framework used by red teams for adversary simulation and penetration testing. Infosec Handlers have already posted their findings on TA551's Sliver activity from 2021-10-20. That same day, Sliver-based malware was also being pushed by the "Stolen Images Evidence" campaign. Today's diary reviews a Sliver infection from the "Stolen Images Evidence" campaign. The "Stolen Images Evidence" campaign uses emails generated through contact forms on various websites. So these messages don't originate through normal spam methods. They appear through contact form submissions describing a copyright violation to the intended victim. These form-submitted messages include a Google-based URL in the message text. This malicious link supposedly provides proof of stolen images that resulted in a copyright violation.