April 19, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Threat Actors Targeting Banks Using Tools to Bypass Cyber Security Controls
March 6, 2019Rewterz Threat Advisory – IBM Security QRadar SIEM / Risk Manager Multiple Vulnerabilities
March 7, 2019Rewterz Threat Alert – Threat Actors Targeting Banks Using Tools to Bypass Cyber Security Controls
March 6, 2019Rewterz Threat Advisory – IBM Security QRadar SIEM / Risk Manager Multiple Vulnerabilities
March 7, 2019
Severity
Medium
Analysis Summary
The noticeable aspects of this specific campaign are the use of existing e-mail threads within compromised e-mail account to spread their malware, use of encrypted ZIP compressed archive to protect a malicious Word Document, and a polymorphic Ursnif payload- the hash of downloaded Ursnif payload changes regularly.
When the document is opened, the On-Open (AutoOpen) VBA/Macros triggers an encoded PowerShell command which downloads a binary – Decoded-PS-1.png in attachments.
Impact
Malware infection
Indicators of Compromise
URLs
- v73adrian79[.]company
- v73adrian79[.]company/hssuwpqksm/o.php?l=koagura9.bz2
- z50rvfhcasandra[.]com
- p26ui42annamarie[.]com
- gefren1267[.]band
Filename
Challenger.zip
Email Address
- support[@]thebloks[.]com
- soccernews[@]challenger-soccer[.]com
Malware Hash (MD5/SHA1/SH256)
- 324dabe55bdbc0e4b13e16a258483a76
- d6d0d94c72b187a7d3fc39eef4301c20fe2dd34f
- f638665a11098a4da5849264c80a083bd4e278e6d7874d7e55ec13d8048aee02
- bbd7c5a469a65ca1102888b1bd47f5f6
- 6b49c392ce88a750e40571784f42e9f2226e8e29
- 48a99d007f50db9e00f64cc4176618c619af0c48eab602c833db4277d4b215c7
- 1b23d8e7b0fd32f85c7ba26d9c193cd1
- 562067d3ff65d065e7a68102d3c6692e9670d64f
- 249712f0652990a9dfa40e58399a01cc8b3954462c04f4d34d81d599b5b75f69
Remediation
- Block threat indicators at your respective controls.
- Always be suspicious of the emails sent by unknown senders.
- Never click on the link/ attachments given on the link sent by unrecognized senders.