Last Updated: 2020-02-12 00:12:13 UTC
by Brad Duncan (Version: 1)
For the past two weeks or so, I haven't found any malspam using password-protected zip archives with Word documents having macros for Ursnif. However, on Tuesday 2020-02-11, malspam from this campaign has resumed. This time, it used Italian language Word documents with macros for Ursnif. @reecdeep started a Twitter thread with some of the details (link).
Today's diary has a quick review of an infection from this campaign from Tuesday 2020-02-11.
Finding the associated Word documents
I searched VirusTotal Enterprise using the following criteria and found at least 66 password-protected zip archives containing the file info_02_11.doc from Tuesday 2020-02-11:
None of the associated emails had been submitted to VirusTotal, so I had to guess at the password. Several of these zip archives used 111 as the password. One of them used 222 as the password. The example I used for an infection had 333 as the password.
Infection traffic was typical from what I've seen with this campaign.
Indicators of Compromise (IoCs)
Traffic from an infected Windows host:
- 194.61.2[.]16 port 80 - qr12s8ygy1[.]com - GET /khogpfyc8n/215z9urlgz.php?l=xubiz8.cab
- port 443 - settings-win.data.microsoft.com - HTTPS traffic (not inherently malicious)
- 95.169.181[.]35 port 80 - lcdixieeoe[.]com - GET /images/[long string of characters].avi
- 45.141.103[.]204 port 443 - q68jaydon3t[.]com - HTTPS/SSL/TLS traffic caused by Ursnif
- File size: 63,761 bytes
- File name: Genial.zip
- File description: Password-protected zip archive (password: 333)
- File size: 70,429 bytes
- File name: info_02_11.doc
- File description: Word doc with macro for Ursnif
- File size: 3,605 bytes
- File location: C:\Windows\Temp\a6c9p.xsl
- File description: XSL file dropped by Word macro
- File size: 188,416 bytes
- File location: hxxp://qr12s8ygy1[.]com/khogpfyc8n/215z9urlgz.php?l=xubiz8.cab
- File location: C:\Windows\Temp\aVQl7d.dll
- File description: Ursnif binary retrieved using XSL file
A pcap of the infection traffic along with the associated malware can be found here.
brad [at] malware-traffic-analysis.net