2020-03-18 - GERMAN MALSPAM PUSHES URSNIF (GOZI/IFSB)

NOTICE:

ASSOCIATED FILES:

  • 2020-03-18-Ursnif-IOCs.txt   (1,812 bytes)
  • 2020-03-18-example-of-German-malspam-pushing-Ursnif.eml   (57,701 bytes)
  • 2020-03-18-Ursnif-infection-from-German-malspam-attachment.pcap   (1,049,377 bytes)
  • 2020-03-18-Ursnif-DLL-retrieved-by-Word-macro.bin   (870,400 bytes)
  • 2020-03-18-Word-doc-with-macro-for-Ursnif.bin   (68,096 bytes)
  • 2020-03-18-password-protected-zip-archive-for-Ursnif-password-111.zip   (40,243 bytes)
  • 2020-03-18-regsitry-update-caused-by-Ursnif.txt   (4,630,804 bytes)

NOTES:

 

IMAGES


Shown above:  Screenshot of an example of malspam from today's wave.

 


Shown above:  Word document extracted from the password-protected zip archive.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Ursnif DLL retrieved by the Word macro.

 


Shown above:  Registry updates to keep Ursnif persistent on an infected Windows host.

 

Click here to return to the main page.