Severity: Medium
Analysis Summary
A recent campaign has been observed distributing Ursnif banking Trojan and the GandCrab ransomware through fileless infection means. The main infection vector of both campaigns are malicious macro embedded Word documents sent to potential victims via phishing emails. Ursnif, also known as Gozi, has been leveraged by threat actors in the financial sector since 2007 to steal credentials and other sensitive information. Whereas GandCrab is one of the more recently discovered ransomware that has been used to steal millions of dollars.
Impact
Indicators of Compromise
URLs
levocumbut[.]com
rapworeepa[.]com
wegatamata[.]com
roevinguef[.]com
pivactubmi[.]com
biesbetiop[.]com
navectrece[.]com
yancommato[.]com
dewirasute[.]com
ptyptossen[.]com
mochigokat[.]com
tubpariang[.]com
zardinglog[.]com
abregeousn[.]com
aplatmesse[.]com
abeelepach[.]com
teomengura[.]com
allooalel[.]club
nublatoste[.]com
ledibermen[.]com
lootototic[.]com
acnessempo[.]com
usteouraph[.]com
izzlebutas[.]com
sfernacrif[.]com
isatawatag[.]com
duenexacch[.]com
kyllborena[.]com
bawknogeni[.]com
kicensinfa[.]com
uvuladitur[.]com
hxxps://zosmogroel[.]com/images/bqOIi0Qqmbsku/iC2ceSPq/qditqiLXeKOtyo58Iga/KtJBIuhqsLzYH1Zz7LP/Oma_2BqMvNi 39Jf/cBCvfx.bmp
hxxp://176.32.33[.]145/rez-senqo/o402ek2m.php
hxxp://bevendbrec[.]com/rez-senqo/o402ek2m.php?l=sixino4.dds
Hash (MD5/SHA1/SH256)
Remediation