SmokeLoader Malware – Active IOCs
August 6, 2024North American Services Disrupted by Microsoft Azure Outage
August 6, 2024SmokeLoader Malware – Active IOCs
August 6, 2024North American Services Disrupted by Microsoft Azure Outage
August 6, 2024Severity
High
Analysis Summary
Recent spam campaigns leading to URSA/Mispadu banking trojan detected by researchers have been uncovered. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages. It is also likely that they have targets similar to previous Mispadu attacks where users from Mexico, Spain, Portugal, and other nearby regions were targeted. This behavior is in line with past Mispadu schemes, such as the one where spam emails for fake discount coupons were used as bait.
For this particular case, Mispadu’s entry vector is spam, similar to past campaigns involving the malware. By sending messages that refer to overdue invoices, attackers create a seemingly urgent situation that then persuades receivers to download a .ZIP file from malicious URLs.
This ZIP file contains an MSI (Microsoft Installer file) that has a VBScript. This is followed by three layers of obfuscation that, when deobfuscated, reveal the final VBScript file that executes an AutoIT Loader/Injector. The final VBScript also retrieves data on the operating system version. If the script detects a virtual environment, the script terminates its execution.
Impact
- Credential Theft
- Financial Loss
Indicators of Compromise
Domain Name
- contgeraklf.com
MD5
- 72dd2e81e09c96b4a1e350af0eb854f7
- cf001a6d188b96847b7835d0dafbfa91
SHA-256
- 225341f69f153dcb90aea484f90149eaf7bb05c1ead55bde1cde2a568bed9848
- 4472c62d3d9982c1330ed143c81ee3cfa59fe916915bb6f6fb69e7d68f525219
SHA1
- da54cc19d79bdcb89f8e00c874c31bc54f3df71b
- 9675c96faaab861aa95fb7c2a55249243a4a3d49
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
- Conduct regular security awareness training for users to recognize and avoid phishing emails.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Implement network segmentation to limit lateral movement within the network.
- Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
- Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
- Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
- Regularly back up critical data and ensure that the backup copies are stored securely.