Malspam was observed on January 12th 2018 delivering Ursnif (AKA Gozi). Ursnif is a Banking Trojan that was discovered in 2007. Originally it was targeting banking wire systems in English speaking countries. In the past decade, its list of target countries expanded and its capabilities evolved. In addition to stealing banking credentials, Ursnif can now collect user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites .
In October 2017, security researchers took notice of a new Ursnif spam campaign . The actors behind this campaign developed their macros to run when the document is closed. Sandbox technologies might miss this behavior and it could prove to be a simple yet effective evasion technique.
On NetWitness Packets, first there is a DNS request to what looks like a DGA delivery domain. Notice the large number of answers in the DNS response:
Next, an HTTP GET request to retrieve a script from the domain:
Here is a better look at the downloaded script:
The script reaches out to the same domain in order to download an executable. Notice the usage of PFX file extension and the absence of many headers in the HTTP GET request:
VirusTotal scan results indicate that the binary is an Ursnif variant.
Once the download is complete and the malware is executed, it checks in with the same domain:
Here is a recap of the network activity:
More information about the recent Ursnif variants can be found in this Malware Breakdown blog post.
Delivery document (SHA256):
Ursnif binary (SHA256):