Rewterz Threat Alert – JavaScript RAT Targeting Asian Government and Financial Sector
January 15, 2021Rewterz Threat Alert – Formbook Malware – IoCs
January 15, 2021Rewterz Threat Alert – JavaScript RAT Targeting Asian Government and Financial Sector
January 15, 2021Rewterz Threat Alert – Formbook Malware – IoCs
January 15, 2021Severity
Medium
Analysis Summary
A new phishing campaign is detected in the wild that was spreading a fresh variant of the Ursnif Trojan via an attached MS Word document. The campaign is continuously targeting Italy. Although Ursnif is identified as a banking Trojan, due to its C2 server’s shutdown, this latest variant has been unable to download the malicious banking module it needs to steal banking information from the victim, causing it to fail to start the second stage of its attack. The email content used in this malspam campaign is translated as:
Dear customer,
A recent accounting audit shows that your invoice number 294316 of 12/10/2020 expired on 12/11/2020. As of today, it is not yet been paid by you.
Therefore, please normalize your accounting position as soon as possible. We are also reminding you that this payment can be made by bank transfer using the IBAN indicated in the invoice or, by bank check or bank draft.
You can consult the invoice and the details for the payment through the attached archive.
We thank you for your attention and we send you kind regards.
Attached to the email is an MS Word document named “residuo_8205843.doc”. The text lures the victim into opening the document to get more details of the invoice.
Impact
Information Theft
Indicators of Compromise
Domain Name
- longline[.]cyou
- gstatistics[.]co
Filename
- residuo_8205843[.]doc
MD5
- 0ee0e091659e19944970ffec47390f5c
- 8c7b2ff105963718fa3c26989e206041
SHA-256
- e9732cdca1b2503e02e8fea9a4c68eda940e10890e1c5abe2ceb2290fe39c3db
- 90d8648b2aac0c837286a4c042f02064cfbb12f45b3dc6b00b2beccc7fc35422
SHA1
- bf3907ff8af3659aee1c51241ef7f0633cde9284
- 831ece0ae6b5e2f373f75352e582abd61b5dd0d7
URL
- http[:]//longline[.]cyou/p1cture3[.]jpg
- https[:]//gstatistics[.]co
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.