Rewterz Threat Alert – Latest Ursnif Campaign Targeting Organizations
April 21, 2020Rewterz Threat Alert – Starbleed Attacks on Data Centers, IoT Devices, Industrial Equipment using FPGA Chips
April 21, 2020Rewterz Threat Alert – Latest Ursnif Campaign Targeting Organizations
April 21, 2020Rewterz Threat Alert – Starbleed Attacks on Data Centers, IoT Devices, Industrial Equipment using FPGA Chips
April 21, 2020Severity
Medium
Analysis Summary
Two campaigns spotted leverage COVID-19 related lures to target employees. The first email spotted claims that an Excel attachment contains guidelines for preventing a Coronavirus outbreak. It leverages TTPs similar to an ongoing malspam campaign that uses these Excel documents to infect systems with Zloader. Zloader then downloads the Zeus banking Trojan onto the victim system as the final payload. The second email analyzed in the blog post uses a shipping-theme, claiming shipment delays because of Coronavirus. A link is provided to see more details; however, visiting this link leads to the download of an IMG file. This IMG file, in turn, infects the victim host with the Nanocore RAT, providing remote access to the attacker.
Impact
- Credential theft
- Exposure of sensitive data
- Financial loss
Indicators of Compromise
MD5
579090062d15633c58d1e9a37444ee8f
SHA-256
7b2adf1c8ff725d7dd61b0fdc3ef9e6e3a8bd1b744fd209290a1bf65f9b9acb4
SHA1
27af4e30ca4fd382ae20214c8d777d89b82cb356
URL
http[:]//gbud[.]webd[.]pl/images/COVID-19-04-01-2020[.]IMG
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.