More judgments - "Lawyer's judgment" malware campaign continues, spreading Ursnif banking trojan
The email was detected on September 06, 2018
Example of examined email:
How it spreads
Subject: Relata di notifica decreto N.8593..... Del 15/08/2018
The malware spreads via e-mail, containing a message about the notification of a judicial document, with subject "Relata di notifica decreto N...... Of dd/mm/yyyyy," in which it invites you to click on the link Atti
Clicking on the link you will be redirected to the http[:]//www[.]kri8ivmedia[.]com/fmzomb?alq=133829
site. From here the Nuovo documento1.zip
file is downloaded, as explained in the previous news
. This file contains the Nuovo documento1.vbs
file that performs the malware download.
- File Name : Nuovo documento1.vbs
- Size: 37.083 byte
- Md5: 05939A3969081277AE255989308662AB
The file Nuovo documento1.vbs will link to http[:]//reviewsvid[.]com/pagiget55[.]php, from where it will download the executable "hDlqQdIkx.exe", which will be run.
- File Name: hDlqQdIkx.exe
- Size:192,270 byte
- Md5: 08BEE89D1C886B881CBA00931432763F
As explained in the 08/23/2018 news
, the hDlqQdIkx.exe
executable creates the following registry key:
which contains several subkeys, already listed in the previous news
. These subkeys contain malicious code including the apilthlp
subkey, recalled every time the pc boots up via the RUN
[bdeutstr] = cmd.exe /C powershell invoke-expression([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\397FA2FA-441F-D3A1-167D-B8B7AA016CDB').apilthlp))
The RUN key, via "powershell", decrypts the apilthlp subkey that contains a script. This script loads the malware and perform the injection through QueueUserAPC.
This type of malware tries to steal PASSWORDS used in various web accounts such as:
The same type of e-mail, in the past distributed the GootKit malware, whose analysis by TGSoft's CRAM is available at these addresses:
- Home banking;
- Certified mail;
- Social networks;
How to identify a fake email
Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of ZIP-formatted attachments and, if possible, DO NOT enable automatic macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening Word and Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a Banker, the advice from TG Soft's C.R.A.M., is to take appropriate security precautions even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the wokstation involved is used for home-banking transactions, an assessment with your credit institution is also recommended.
How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts
Sending materials to the TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
We give you these suggestions to help avoiding credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.
- Any suspect email can be sent directly by the recipient's e-mail, to the following mail email@example.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- Save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
Integrate your PC / SERVER protection with Vir.IT eXplorer Lite
|If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,
Vir.IT eXplorer Lite has the following special features:
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
- It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- Through the Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and proceed to send the reported files to TG Soft's C.R.A.M.
- Proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website..
For Vir.IT eXplorer PRO users...
|For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTSI
TG Soft's Anti-Malware Research Center