- Informazioni sulla sicurezza
- Cyber Attacks
- Australian Health Insurance-Themed Spam Spreads Ursnif
Analysis and Insights by Monte De Jesus
Trend Micro researchers encountered a spam campaign referencing the Australian health insurance brand Medicare. The attachment, which Trend Micro detects as Trojan.X97M.URSNIF.THDAEBO, downloads the malicious file (detected as TrojanSpy.Win32.URSNIF.THDAEBO). The campaign aims to spread the spyware Ursnif, also known as Gozi.
The email headers pertain to payment transactions with the words “Statement,” “Invoice,” or “Transaction,” and include a supposed transaction number:
The email contains an attached encrypted spreadsheet (.xls) file (detected by Trend Micro as Trojan.X97M.URSNIF.THDAEBO) that uses “Medicare” in its file names, as listed below:
Figure 1. Healthcare-Themed Spam Attachment
This trojan accesses the website hxxps://www.{BLOCKED}contracting.com/ray/pom.php. It then downloads a malicious file (Ursnif) from the site and saves it using the name %All Users Profile%\qmbvlcq.exe (detected as TrojanSpy.Win32.URSNIF.THDAEBO).
This malicious file steals the following data, which can possibly be abused for further attacks:
The file then sends the information via HTTP POST to the following URL:
Earlier this year, Ursnif has been spotted being used in another campaign targeting users in Japan.
Threat actors use current affairs such as the Covid-19 outbreak in their social engineering strategies to bait even the most careful email users. Spam campaigns can propagate malicious files such as Ursnif and other types of malware and even ransomware. Users can defend against these threats by following these best practices:
The following Trend Micro solutions for email-based threats are recommended for a more proactive defense against spam:
URLs
SHA-256 | Trend Micro Pattern Detection |
35a5cb85a5fbea3fdbd568aacedca42c4488877c1c2ee479fe21c1534e070866 | TrojanSpy.Win32.URSNIF.THDAEBO |
3f713f94f2c6c981a93cc9e01894da2da3a144829093619eb960f469e245fa17 | Trojan.X97M.URSNIF.THDAEBO |
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.