Introduction On Tuesday 2020-01-21, a wave of malicious spam (malspam) hit various recipients in Germany. Messages from this German malspam were email chains associated with infected Windows hosts, and these emails all had password-protected zip archives as attachments. A closer look revealed this malspam was pushing Ursnif. Today's diary reviews this malspam and an Ursnif infection from one of the attachments on Tuesday 2020-01-21.
The malspam See the next three images for examples from this wave of malspam. Of note, this campaign often used 777 as the password for the attached zip archive. In this wave of malspam, we saw passwords 111, 333, and 555. Other passwords were probably used as well in examples we have not yet reviewed.
The attachments Using the password from the email, you can extract a Microsoft Word document from the password-protected zip archive. The message in the Word document is in German, and it directs you to enable macros. All of the Word documents are named info_01_21.doc. Of note, in recent versions of Microsoft Office, you must disable Protected Mode and bypass some other security features to enable macros and infect a vulnerable Windows host.
The infection traffic Infection traffic is typical for Ursnif infections in recent months. Other examples of Ursnif traffic can be found here, which contains infections from 2019. Of note, the follow-up malware for this Ursnif infection was another Ursnif variant.
Forensics on an infected Windows host The infected windows host contained artifacts commonly seen with these type of Ursnif infections. See the images below for details.
Indicators of Compromise (IoCs) Infection traffic from the initial Ursnif infection:
Request for the follow-up malware:
Infection traffic caused by the follow-up malware (another Ursnif variant):
Malware info: SHA256 hash: 957573dc5e13516da0d01f274ab28a141dddc8b6609fa35fde64a4900cb793e6
SHA256 hash: 05ec03276cdbb36fdd8433beca53b6c4a87fa827a542c5d512dcbb2cf93023c9
SHA256 hash: c7f801c491d705cd5e6a202c7c5084874235e19b5505d8e0201111cb3789a9c8
SHA256 hash: df824e3e5bb15c7b74d5e8a021f3cbcd867100a02399b9c383488c660ae920b4
Final words A pcap of the infection traffic, the associated malware and artifacts, and some malspam examples can be found here. --- Brad Duncan |
Brad 435 Posts ISC Handler Jan 23rd 2020 |
Thread locked Subscribe |
Jan 23rd 2020 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!