Rewterz Threat Advisory –CVE-2021-22932 – Citrix ShareFile Vulnerability
August 11, 2021Rewterz Threat Advisory – Multiple Adobe Connect Vulnerabilities
August 11, 2021Severity
High
Analysis Summary
Italian Windows users are being targeting by a spam campaign that is spreading the Dharma ransomware as the end payload. Researchers indicates the spam emails attempt to disguise themselves as invoice emails. In reality, the spam is being used to infect users with the Ursnif keylogger or the Dharma ransomware. The emails claim that the included URL is a link to invoice documents that need the reader’s approval. The URL references a OneDrive page where a file named “New documento 2.zip” is automatically downloaded as soon as the page is displayed. The zip file contains a Visual Basic script and an image file. Should the user execute the Visual Basic script, infection begins. BleepingComputer researchers observed that both Ursnif and Dharma were the final payloads, though not to the same victim.
Impact
- File Encryption
Indicators of Compromise
MD5
- 95f91f236cf95d698d9195690133265b
- 37c1ee5708d1f5e45cea516059fd12f8
SHA-256
- 085105e613ad37808a8db9a3c2ba5561d5d38d5c5c43b469c93d15f0d64af0c1
- 90c54543aaf085e00879d4fe98a6dfb8148548f374828d50b6e3ac44668138b2
SHA-1
- 29f3c5cc44709847c416bc35b3043d3da1392a8c
- d9102824ed07a4c29bd364fd0f4e08df1f5dc1d9
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.