

Rewterz Threat Advisory – CVE-2019-1625 – Cisco SD-WAN Solution Privilege Escalation Vulnerability
June 20, 2019
Rewterz Threat Advisory – CVE-2019-1843 – Cisco RV110W Wireless-N VPN Firewall / RV215W Wireless-N VPN Router Denial of Service Vulnerability
June 20, 2019
Rewterz Threat Advisory – CVE-2019-1625 – Cisco SD-WAN Solution Privilege Escalation Vulnerability
June 20, 2019
Rewterz Threat Advisory – CVE-2019-1843 – Cisco RV110W Wireless-N VPN Firewall / RV215W Wireless-N VPN Router Denial of Service Vulnerability
June 20, 2019Severity
Medium
Analysis Summary
Ursnif is typically encountered when the user inadvertently opens a malicious file attachment that arrives via a spam email message.
Upon execution, Ursnif checks for the presence of any virtual or debugging environments; if found, it will show a fake alert message box with the text, “Error Initializing Client App!”. It also performs process hollowing on svchost.exe or explorer.exe and injects a dll file (client.dll) based on the system enviornment (whether it is 32- or 64-bit).
Afterwards, it tries to steal multiple pieces of information from the system and store them in a file. It then connects to a malicious command and control (C&C) server.
Impact
- Credential theft
- Exposure of sensitive information
Indicators of Compromise
IP(s) / Hostname(s)
- 46[.]17[.]42[.]185
- 94[.]103[.]85[.]86
- 94[.]103[.]94[.]3
- 94[.]103[.]94[.]145
- 46[.]8[.]18[.]186
- 212[.]109[.]197[.]19
URLs
- hxxps[:]//drive.google[.]com/file/d/12F5NTHrUvJyCrHGwdxcB8VemGVbNHxk-/view?usp=sharing/
- hxxp[:]//blogger.scentasticyoga[.]com
- hxxp[:]//link.kunstsignal[.]net/images/
- hxxp[:]//znedra34h[.]band/2poef1/j.php?l=flono[1-10].fgs
- hxxp[:]//gkarianelenora[.]company/2poef1/j.php?l=flono[1-10].fgs
- hxxps[:]//blogger.scentasticyoga[.]com/
- hxxp[:]//blogger[.]scentasticyoga[.]com/sdfwegg?yrw=3
- hxxp[:]//blogger.scentasticyoga[.]com/
- hxxp[:]//blog.practicereiki[.]com/pagpoftrh54[.]php
- znedra34h[.]band
- gkarianelenora[.]company
- meduardoyvicky[.]email
- b6531yil[.]band
- a22a2927qioh[.]city
- dcordeliakyleigh[.]email
- dfredamy[.]company
- dubwyudiana[.]email
- qualphonso[.]company
- kureidww[.]company
- ptysonqbg[.]band
- soxhiicp32jalon[.]com
- vjosiannehmaegan[.]city
- vkq43imkay[.]com
- http[:]//link[.]kunstsignal[.]net/images/k8_2B_2FGQqXX9R/6svLKioUDyBfFXYGFO/SVbbLdYby/JgiiNPZHRiiwNA0ThROp/4dvG9p04IYJ_2FpgfEl/ EicOJlEqs6UzxEywvM20cY/wqjKFb_2Bwb_2/FQWma8dA/zq8pUIu3yi1g0_2BlUBesTq/i0fA8P3FM0/vy7wv[.]avi
Filename
- Atto_51648651519816651651651651651.vbs
- eyTWUDW.exe
Malware Hash (MD5/SHA1/SH256)
- a60864bfaaf6d8465a44d1cfceb38001d3de5466bef4c993e51d0f7a4e28776d
- 343423080d891e9c05053b8e9854f63d7e9cb8ee79add7341511a0d274a42047
- 26300dd94a2cb0b0472d94cceabb8586ba51ef850125fe8c81f88345274c5d2e
- 743bc044bcee1580352f115942df9412628b0a9e34b7ee2f732a0582f51bfb38
- 7adf1d2a41cac67bc0d6aa468c53c1f7390dfaf1d59e5bd175a875b1bbf991b4
- 8cfd37f5d6b0eebaed6916291c62e0d29cfcdd20695a42a9932d3b46b14410ce
- e333f7356bd0d2a5e97864bf588dd9c2474fa143036c13939219f9b6f547cc20
- a60864bfaaf6d8465a44d1cfceb38001d3de5466bef4c993e51d0f7a4e28776d
- 7296fc2aabca7a272cbabfd1a7d3902044b9defea81c1d2bf183aec3176e0183
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious of the emails of sent by unknown senders.
- Never click on the link/ attachments sent by unknown senders.