Rewterz Threat Alert – Emotet is Back from Holiday
January 14, 2020Rewterz Threat Alert – ‘Cable Haunt’ Modem Flaw Leaves 200 Million Devices at Risk
January 14, 2020Rewterz Threat Alert – Emotet is Back from Holiday
January 14, 2020Rewterz Threat Alert – ‘Cable Haunt’ Modem Flaw Leaves 200 Million Devices at Risk
January 14, 2020Severity
Medium
Analysis Summary
Ursnif (aka Gozi/Gozi-ISFB), discovered in 2006, may be one of the oldest banking Trojans still active. After its source code was leaked, a number of variants sprang up. SAIGON may be more of a generic backdoor than just a banking Trojan. During infection, SAIGON is stored in the registry as a Base64-encoded shellcode blob. On a scheduled basis, a task is used to launch the blob using PowerShell. Communication with its command and control servers is via multipart/form-data encoded requests over HTTPS using the POST command. Although SAIGON may share Ursnif’s source code. it may be designed for a more targeted attack approach than Ursnif.
Impact
- Credential theft
- Financial loss
Indicators of Compromise
MD5
- 30c23ec53a3443b6d53a6c8ad29cbcc8
- 2f699110efa494ffd630cea68689313d
SHA-256
- 431f83b1af8ab7754615adaef11f1d10201edfef4fc525811c2fcda7605b5f2e
- 628cad1433ba2573f5d9fdc6d6ac2c7bd49a8def34e077dbbbffe31fb6b81dc9
SHA1
- 0b18ea041f8b467158b96ab8c655e97329b95a45
- 8d008f218911943645a52303ada353156a7304bc
URL
- http[:]//softcloudstore[.]com
- https[:]//cdn-digicert-i31[.]com
- https[:]//cdn-gmail-us[.]com
- https[:]//cdn-google-eu[.]com
- https[:]//cdn-mozilla-sn45[.]com
- https[:]//google-download[.]com
- https[:]//mozilla-yahoo[.]com
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.