Rewterz Threat Alert – New Variant of Ursnif Using Invoice Malspam

Severity

Medium

Analysis Summary

A new phishing campaign is detected in the wild that was spreading a fresh variant of the Ursnif Trojan via an attached MS Word document. The campaign is continuously targeting Italy. Although Ursnif is identified as a banking Trojan, due to its C2 server’s shutdown, this latest variant has been unable to download the malicious banking module it needs to steal banking information from the victim, causing it to fail to start the second stage of its attack. The email content used in this malspam campaign is translated as: 

Dear customer, 

A recent accounting audit shows that your invoice number 294316 of 12/10/2020 expired on 12/11/2020. As of today, it is not yet been paid by you.

Therefore, please normalize your accounting position as soon as possible. We are also reminding you that this payment can be made by bank transfer using the IBAN indicated in the invoice or, by bank check or bank draft.

You can consult the invoice and the details for the payment through the attached archive.

We thank you for your attention and we send you kind regards.

Attached to the email is an MS Word document named “residuo_8205843.doc”. The text lures the victim into opening the document to get more details of the invoice.

Impact

Information Theft

Indicators of Compromise

Domain Name

• longline[.]cyou
• gstatistics[.]co

Filename

• residuo_8205843[.]doc

MD5

• 0ee0e091659e19944970ffec47390f5c
• 8c7b2ff105963718fa3c26989e206041

SHA-256

• e9732cdca1b2503e02e8fea9a4c68eda940e10890e1c5abe2ceb2290fe39c3db
• 90d8648b2aac0c837286a4c042f02064cfbb12f45b3dc6b00b2beccc7fc35422

SHA1

• bf3907ff8af3659aee1c51241ef7f0633cde9284
• 831ece0ae6b5e2f373f75352e582abd61b5dd0d7

URL

• http[:]//longline[.]cyou/p1cture3[.]jpg
• https[:]//gstatistics[.]co

Remediation

• Block the threat indicators at their respective controls.
• Do not download files attached in untrusted emails.