Rewterz Threat Alert – Ursnif Found in Admin Billing Phishing Campaign

Severity

Medium

Analysis Summary

A new wave of attacks against Italian users and companies is detected. The attackers send fraudulent e-mail messages on administrative billing issues, which invite the victims to open remote links aimed at downloading and installing malware from the Ursnif family : capable of stealing credentials, intercepting network traffic and installing additional malware. The campaign is particularly dangerous because the malware variant used is digitally signed with valid cryptographic certificates. The digital signature affixed to the executable makes the threat more insidious as it could be ignored by some perimeter systems and antivirus agents. 

 

Impact

• Credential Theft
• Information Theft
• Malware infection

Indicators of Compromise

Domain Name

• boathandlingjack[.]com
• thefork[.]info
• teablitziloilo[.]xyz
• hivechannel3[.]com
• pizzaonenj[.]com
• Email Subject
• Invoice No. of 09.29.19

MD5

• 7d2b81d2ca6da7e4f095282c6cfb69dc
• af0464c5e28dbdef41e3a8c6ca042765

SHA-256

• d106c6afba88309f3dac8976e04274898b899d494262f3a182a502b5625860a2
• dfcc6b953c6ee67a6f29c0e7050fc953ad0b950e07e6e6370a6631863131f1c2

Source IP

• 212.42.121[.]53

URL

• http[:]//homesredmond[.]com/
• http[:]//bethelarts[.]org/bbfav?qei=307586
• http[:]//crccoating[.]com/
• http[:]//realestatewoodinville[.]net/
• http[:]//thefork[.]info/ejczb?ojtj=218646
• http[:]//pizzaonenj[.]com/paghfjug43.php
• http[:]//hivechannel3[.]com/nwyu?wsr=6499
• https[:]//teablitziloilo.xyz/index[.]htm
• http[:]//myegy[.]club/glvvl?hhfw=15530

Remediation

• Block the threat indicators at their respective controls.
• Do not download email attachments and do not visit links attached in untrusted emails.
• Implement employee awareness programs to spread awareness about phishing.