For the past two weeks or so, I haven’t found any malspam using password-protected zip archives with Word documents having macros for Ursnif. However, on Tuesday 2020-02-11, malspam from this campaign has resumed. This time, it used Italian language Word documents with macros for Ursnif. @reecdeep started a Twitter thread with some of the details (link).
Today’s diary has a quick review of an infection from this campaign from Tuesday 2020-02-11.
Finding the associated Word documents
I searched VirusTotal Enterprise using the following criteria and found at least 66 password-protected zip archives containing the file info_02_11.doc from Tuesday 2020-02-11:
None of the associated emails had been submitted to VirusTotal, so I had to guess at the password. Several of these zip archives used 111 as the password. One of them used 222 as the password. The example I used for an infection had 333 as the password.
Infection traffic was typical from what I’ve seen with this campaign.
Indicators of Compromise (IoCs)
Traffic from an infected Windows host:
- 194.61.2[.]16 port 80 – qr12s8ygy1[.]com – GET /khogpfyc8n/215z9urlgz.php?l=xubiz8.cab
- port 443 – settings-win.data.microsoft.com – HTTPS traffic (not inherently malicious)
- 95.169.181[.]35 port 80 – lcdixieeoe[.]com – GET /images/[long string of characters].avi
- 45.141.103[.]204 port 443 – q68jaydon3t[.]com – HTTPS/SSL/TLS traffic caused by Ursnif
- File size: 63,761 bytes
- File name: Genial.zip
- File description: Password-protected zip archive (password: 333)
- File size: 70,429 bytes
- File name: info_02_11.doc
- File description: Word doc with macro for Ursnif
- File size: 3,605 bytes
- File location: C:WindowsTempa6c9p.xsl
- File description: XSL file dropped by Word macro
- File size: 188,416 bytes
- File location: hxxp://qr12s8ygy1[.]com/khogpfyc8n/215z9urlgz.php?l=xubiz8.cab
- File location: C:WindowsTempaVQl7d.dll
- File description: Ursnif binary retrieved using XSL file
A pcap of the infection traffic along with the associated malware can be found here.
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.