Discover and read the best of Twitter Threads about #ursnif
Most recents (4)
Ursnif Loader (Javascript) - Manual Decoding Using Cyberchef
[1/13] 👇🧵
#Cyberchef #Decoding #Ursnif #Malware
[1/13] 👇🧵
#Cyberchef #Decoding #Ursnif #Malware
[1.1] A quick summary/TLDR before we get started
- Remove comments (manually or using regex)
- Remove "split" strings (manually or using regex)
- Remove obfuscated numbers
- (optional) Rename Variables
- Apply beautifier and syntax highlight
- Remove comments (manually or using regex)
- Remove "split" strings (manually or using regex)
- Remove obfuscated numbers
- (optional) Rename Variables
- Apply beautifier and syntax highlight
[2] First, I downloaded the sample from Malware Bazaar and loaded it into a safe analysis VM.
You can find the same sample here
bazaar.abuse.ch/sample/2a72302…
You can find the same sample here
bazaar.abuse.ch/sample/2a72302…
1/ DEV-0569, current distribution via #GoogleAds.
1.- #Gozi aka #Ursnif (bot) ↓
2.- #RedLine (stealer) ↓
And if the conditions are right, possibly:
3.- #CobaltStrike (C2) ↓
4.- #Royal Ransomware 💥
(No more BatLoader in the infection chain)
1.- #Gozi aka #Ursnif (bot) ↓
2.- #RedLine (stealer) ↓
And if the conditions are right, possibly:
3.- #CobaltStrike (C2) ↓
4.- #Royal Ransomware 💥
(No more BatLoader in the infection chain)
2/ For deployment, they use Add-MpPreference to configure exclusions in Windows Defender (extensions, paths and processes), #NSudo to launch binaries with full privileges and #GnuPG to encrypt the payloads.
Initial MSI file has 0 hits in VT.
Initial MSI file has 0 hits in VT.
3/ All payloads are hosted on @Bitbucket, in a repository that was created in August 2022.
In just 3 days, #Gozi and #RedLine have been downloaded 2477 and 2503 times respectively.
ZLocal.gpg has been downloaded more than 48193 times since December 24, 2022 (potential victims).
In just 3 days, #Gozi and #RedLine have been downloaded 2477 and 2503 times respectively.
ZLocal.gpg has been downloaded more than 48193 times since December 24, 2022 (potential victims).
1/ So, site impersonating @Fortinet downloads signed MSI that uses Powershell to run #BatLoader, if the user is connected to a domain (corporate network) it deploys:
1) #Ursnif (Bot)
2) #Vidar (Stealer)
3) #Syncro RMM (C2)
4) #CobaltStrike
And possibly
5) #Ransomware 💥
1) #Ursnif (Bot)
2) #Vidar (Stealer)
3) #Syncro RMM (C2)
4) #CobaltStrike
And possibly
5) #Ransomware 💥
2/ For initial deployment they use NirCmd, NSudo and GnuPG (to encrypt payloads) among other utilities.
* Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
* Remove-Encryption -FolderPath $env:APPDATA -Password '105b'
* Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
* Remove-Encryption -FolderPath $env:APPDATA -Password '105b'
3/ The websites are boosted through SEO poisoning and impersonate brands such as @Zoom, @TeamViewer, @anydesk, @LogMeIn, @CCleaner, #FileZilla and #Winrar among others.
/teamviewclouds.com
/zoomcloudcomputing.tech
/logmein-cloud.com
/teamcloudcomputing.com
/anydeskos.com
/teamviewclouds.com
/zoomcloudcomputing.tech
/logmein-cloud.com
/teamcloudcomputing.com
/anydeskos.com
#malspam with #Ursnif
Sender: papanas@nimbra-solutions.eu
URL(http): /moodswingmusic.io/wp-content/uploads/2019/07/reds2.html
GET: /intrade-support.at:80
Callback: 66.181.168.248:80
VT: virustotal.com/gui/file/0188b…
@HazMalware
@executemalware @neonprimetime @James_inthe_box
Sender: papanas@nimbra-solutions.eu
URL(http): /moodswingmusic.io/wp-content/uploads/2019/07/reds2.html
GET: /intrade-support.at:80
Callback: 66.181.168.248:80
VT: virustotal.com/gui/file/0188b…
@HazMalware
@executemalware @neonprimetime @James_inthe_box
All DNS queries:
/powerprivat.ru
/myip.opendns.com
/trading-secrets.ru
/resolver1.opendns.com
/vaslbnt.ru
/intrade-support.at
/powerprivat.ru
/myip.opendns.com
/trading-secrets.ru
/resolver1.opendns.com
/vaslbnt.ru
/intrade-support.at
@cyb3rops
Same factura.js file with your comment in VT.
Same factura.js file with your comment in VT.
