2018-11-08 - THREE RECENT INFECTIONS FROM MALSPAM PUSHING URSNIF

ASSOCIATED FILES:

  • 2018-11-05-Ursnif-infection-with-Nymaim.pcap   (1,791,662 bytes)
  • 2018-11-07-Ursnif-infection.pcap   (1,013,374 bytes)
  • 2018-11-08-Ursnif-infection-with-IcedID-banking-Trojan.pcap   (2,078,123 bytes)
  • 2018-11-08-Ursnif-malspam-example-1208-UTC.eml   (147,476 bytes)
  • 2018-11-05-Nymaim-caused-by-Ursnif-infection.exe   (836,800 bytes)
  • 2018-11-05-Ursnif-malware-binary.exe   (356,864 bytes)
  • 2018-11-05-attached-Word-doc-with-macro-for-Ursnif.doc   (78,336 bytes)
  • 2018-11-07-Ursnif-binary.exe   (439,808 bytes)
  • 2018-11-07-attached-Word-doc-with-macro-for-Ursnif.doc   (80,384 bytes)
  • 2018-11-08-IcedID-banking-Trojan-caused-by-Ursnif-infection.exe   (406,016 bytes)
  • 2018-11-08-Registry-entries-on-infected-Windows-host.txt   (10,400,382 bytes)
  • 2018-11-08-Ursnif-malware-binary.exe   (276,992 bytes)
  • 2018-11-08-attached-Word-doc-with-macro-for-Ursnif.doc   (99,328 bytes)

NOTES:

 


Shown above:  Flow chart for recent Ursnif malspam.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URL:

 

EMAILS


Shown above:  Example of an email for Urnsif malspam, santized, with a lot of information removed (redacted).

 


Shown above:  The attached Word document needs macros enabled to start an infection chain.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC CAUSED BY WORD MACRO RETRIEVING URSNIF EXE:

URSNIF INFECTION TRAFFIC:

ICEDID TRAFFIC:

 

MALWARE

MALWARE FROM AN INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Macro from attached Word doc retrieves Ursnif malware binary.

 


Shown above:  Example of HTTP traffic caused by the Ursnif example on 2018-11-08.

 


Shown above:  Example of HTTPS/SSL/TLS traffic caused by the Ursnif example on 2018-11-08.

 


Shown above:  The Ursnif-infected Windows host retrieves follow-up malware (in this case IcedID).

 


Shown above:  HTTP traffic caused by the follow-up malware, IcedID, on 2018-11-08.

 


Shown above:  Example of HTTPS/SSL/TLS traffic caused by IcedID on 2018-11-08.

 


Shown above:  Another example of HTTPS/SSL/TLS traffic caused by IcedID on 2018-11-08.

 


Shown above:  IcedID persistent on the infected Windows host through a scheduled task.

 


Shown above:  Registry entries on the infected Windows host that I assume were caused by Ursnif.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.