TG Soft's C.R.A.M. (Anti-Malware Research Center) examined an email included in a campaign spreading the malware Trojan Banke Ursnif on August 23, 2018.
Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.
If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research): How to send suspicious emails
Subject: Relazione di notifica atto No.4521856636 Del 14/06/18
The second part of the message shows the mock judgment with its recognition code, inviting us to download it by clicking on the blue highlighted link "sentenza." (judgement)
If you click on the link you will be directed to a compromised web page: http[:]//www[.]lindequipment[.]com/fbfx?pqi=320897, from which a .ZIP file named "Nuovo documento1.zip" is downloaded.
The Zip archive you just downloaded contains two files:
Once started, the file "ePlXhIq.exe" creates the following registry key:
which contains the following subkeys (see image below):
these subkeys contain the malware code that is loaded by a RUN key each time the pc is started :
[bdeutstr] = cmd.exe /C powershell invoke-expression([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\397FA2FA-441F-D3A1-167D-B8B7AA016CDB').apilthlp))
Then the file "ePlXhIq.exe" is deleted.
The RUN key, through "powershell", provides decryption of the apilthlp subkey, which contains a script. This script provides malware loading and injection through QueueUserAPC.
This type of malware can steal our precious passwords and seize sensitive personal information such as mail accounts, home banking, social networks, etc....
The same type of e-mail in the past distributed the GootKit malware whose analysis by TGSoft's CRAM is available at these addresses:
Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of ZIP-formatted attachments and, if possible, DO NOT enable automatic macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening Word and Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a Banker, the advice from TG Soft's C.R.A.M. is to take appropriate security precautions even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the workstation involved is used for home-banking transactions, an assessment with your credit institution is also recommended.
|If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,
Vir.IT eXplorer Lite has the following special features:
For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTS.