Rewterz Threat Alert – Threat Indicators – Ursnif/Gozi Malspam

Severity

Medium

Analysis Summary

The noticeable aspects of this specific campaign are the use of existing e-mail threads within compromised e-mail account to spread their malware, use of encrypted ZIP compressed archive to protect a malicious Word Document, and a polymorphic Ursnif payload- the hash of downloaded Ursnif payload changes regularly.

When the document is opened, the On-Open (AutoOpen) VBA/Macros triggers an encoded PowerShell command which downloads a binary – Decoded-PS-1.png in attachments.

Impact

Malware infection

Indicators of Compromise

URLs

• v73adrian79[.]company
• v73adrian79[.]company/hssuwpqksm/o.php?l=koagura9.bz2
• z50rvfhcasandra[.]com
• p26ui42annamarie[.]com
• gefren1267[.]band

Filename

Challenger.zip

Email Address

• support[@]thebloks[.]com
• soccernews[@]challenger-soccer[.]com

Malware Hash (MD5/SHA1/SH256)

• 324dabe55bdbc0e4b13e16a258483a76
• d6d0d94c72b187a7d3fc39eef4301c20fe2dd34f
• f638665a11098a4da5849264c80a083bd4e278e6d7874d7e55ec13d8048aee02
• bbd7c5a469a65ca1102888b1bd47f5f6
• 6b49c392ce88a750e40571784f42e9f2226e8e29
• 48a99d007f50db9e00f64cc4176618c619af0c48eab602c833db4277d4b215c7
• 1b23d8e7b0fd32f85c7ba26d9c193cd1
• 562067d3ff65d065e7a68102d3c6692e9670d64f
• 249712f0652990a9dfa40e58399a01cc8b3954462c04f4d34d81d599b5b75f69

Remediation

• Block threat indicators at your respective controls.
• Always be suspicious of the emails sent by unknown senders.
• Never click on the link/ attachments given on the link sent by unrecognized senders.