May 9, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – PatchWork APT Group Targeting (NCOC) – Active IOCs
February 23, 2022Rewterz Threat Alert – Microsoft’s SQL Servers Targeted – Active IOCs
February 23, 2022Rewterz Threat Advisory – PatchWork APT Group Targeting (NCOC) – Active IOCs
February 23, 2022Rewterz Threat Alert – Microsoft’s SQL Servers Targeted – Active IOCs
February 23, 2022
Severity
High
Analysis Summary
Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 when its source code was published on Github and since then the moderators have always tweaked some changes to make use of their arsenal according to their gains. Mainly attacking banks and other financial institutions. As banking security has hardened and more customers have used mobile banking apps, attackers have switched to using Trojans such as Ursnif to steal other types of data, including email configurations, as well as credentials and passwords stored in web browsers and even digital wallets. Threat actors use different techniques to make a victim fall into their trap. In many cases, a phishing email is sent to a victim that contains a malicious attachment – typically an Excel spreadsheet. If the victim clicks on an “Enable Content” button, they will not see the spreadsheet; rather an embedded macro code, which contains PowerShell commands and that’s how the infection begins to unfold.
Impact
- Information Theft
- Financial Loss
- Exposure of Sensitive Information
Indicators of Compromise
MD5
- 9822f80d7953612df9dee799d9bf5d66
- c6f9463bba628a9873691bd1f9f94645
- 9e3c19ba8cbe6ae22b680948a1e7adf1
- f4f4bbde78b8f44adfb1336586ab8422
- d9ea030e883dc965b79ae76dfd5c70ac
- 7c93930a74731a491057744878bb2d30
- e80d4b0455e238285155e473a0321eaa
SHA-256
51d6eb2a57ebd31a7e4f72f0bde114ee6f29f838e81ab316b3085273125e5898
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
6b987bd256bda7663930e6bb8379f6500d8f8bef50c3870d037586c3825bd526
84b980fe26979262acd02db2695a978d79b0adaf462d5dc4e2cea043af1a21a0
100cd983ec6dc268900ab2d56587c03a2c7f6ae1e2165f7e35bcf2e7e4237973
b949876ceeff8f71ca0693e2491b4854bf1ed00d5dc40348785605d1992433f1
8e4d78f2b77269eb804f3d86f9e2faf495e38f33d466bbae6ed8c016178d9443
SHA-1
- 162c7ec9b2f116db2bf13084f3256bc18848e4ec
- 63bf115490eae7045447b740c4682bc10d710e94
- 54be9278687cef502dae7476c413da91402f56e3
- 09a1b94d1ecfe778e4e2e8925b734d15dad5858d
- 4084c9c78bc98b6418473748c24b63b5ddc78a35
- bd11ddd0a67de98f3fcf2cdec0fa734a9c74ece3
- 910d18e1883d9c86cc386c8222c3e464db31429e
Remediation
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
