2020-06-10 - URSNIF (GOZI/IFSB) INFECTION WITH URSNIF VARIANT

ASSOCIATED FILES:

  • 2020-06-10-Ursnif-with-Ursnif-IOCs.txt   (7,519 bytes)
  • 2020-06-10-Ursnif-with-Ursnif-infection-traffic.pcap   (5,419,771 bytes)
  • 2020-06-10-additional-registry-updates-after-followup-Ursnif.txt   (5,615,006 bytes)
  • 2020-06-10-initial-registry-updates-Ursnif.txt   (5,614,256 bytes)
  • 40958169.dat   (258,048 bytes)
  • 93296.exe   (4,268,544 bytes)
  • rule-06.20.doc   (118,766 bytes)

NOTES:

 

IMAGES


Shown above:  Malspam from this campaign spoofs legitimate email chains.

 


Shown above:  Screenshot of a Word doc extracted from one of the password-protected zip archive first seen on 2020-06-10.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Initial malware, a DLL for Ursnif (Gozi/IFSB).

 


Shown above:  Follow-up malware, an EXE for an Ursnif variant.

 


Shown above:  Registry updates caused by both Ursnif malwares.

 

Click here to return to the main page.