Request a Demo
Rewterz
Rewterz Threat Advisory – Multiple Google Chrome Security Vulnerabilities
June 4, 2020
Rewterz
Rewterz Threat Advisory – CVE-2020-3227 – Cisco IOx for IOS XE Software Privilege Escalation Vulnerability
June 4, 2020

Rewterz Threat Alert – URSNIF and GOZI Delivery via Excel Macro 4.0

Severity

High

Analysis Summary

Beginning in January 2020, a campaign was detected that employed advanced obfuscation to evade detection. Using Microsoft Excel hidden sheets, the malicious document is unable to be seen by many detection engines. Speculation is the documents are delivered via social engineering emails. Asking victims to enable editing and content allows the macros contained on the hidden sheets to execute a WinAPI function to download the next stage malware.

Excel%204%20Macro%20maldoc%20campaign-1.png

The macro worksheet is heavily obfuscated and will start with a number of “RUN” commands that eventually ends with several interesting commands such as “CALL” and “EXEC”.

The macro utilizes the Win32 API function to download the next stage.

Impact

  • Information theft
  • Exposure of sensitive data

Indicators of Compromise

SHA1

  • F0fa0bccb67b0c01f238a5eca9c46b9faa0bd6a7
  • 1d6f74390e8a00e28975ec5181fe18aab956e5b3
  • 4cca909d440e7ce3626922db54872fba43b51855
  • 3115d21f0bc774996e7eb925c8badfe8172ae781
  • 1669b5553ef576c558bc6a49482a9c32d218641c
  • Aa64141ae3d4706eddeccdacbbef413f173f26b6
  • 7b6cabda9cfb7b23af2211d2a11ef9a504479a16
  • 7ec3f150ca07ff1a67487eb7e74e17eaa15a1144
  • F8aef0dac089067ca9024423eca9042f8b1ac845
  • 164dff79a7afe7a74d8ff06a564e81d36df29286
  • Fef9ab8c1df75fbcdb717d23a7f0f3a3a8512f16
  • 24c898ad6e3107474cb3bfbe606aa8f562a6f76a
  • B0d168485f482d4685c3d9f034171be457fd7b31
  • C33ee864fc398ee9ae1f7994f1aa84101cd6a421
  • 3479d044d78dc9a309e1b6ccd533e601235dbde5
  • C33ee864fc398ee9ae1f7994f1aa84101cd6a421
  • 3479d044d78dc9a309e1b6ccd533e601235dbde5
  • 66b9c31b5ab8deccd4c3711515d8021232c1a9af
  • 7848de9c2e505e418ae0b0f7d7fc9fae9f371197
  • 6b0d60b336972892667e71e415e3c21407307dc1
  • Afa0c9be4f05629e773c4304bbabeab2fd5befc8
  • B0734e1b869db25b66c5f03ed50133519c222284
  • A7b2badc79cc494eba7a0da8e13df49d226c4409
  • C8c3be4745ad3b0d88c4a8566ac0c780c0ce17f6
  • 2404a7c358629dca3839cef3ea18c5b30c778adc

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.