Some Russian campaign running
over leaked email spreads different kind of malware. Today on Yahoo mail
has come some fresh Ursnif with 0 detections. | The domain used for my email was inactive and there was no file for download, but I found it somewhere else. In the pictures below will find the research steps: Was easy to find a sample of malware using the SHA256 (d6c0ca87f712c0633eab5ac020ceaad2e256cd3251808ce7c7b45faf4042123e) on Google. The
.zip file is detected and this may be an advantage for the users IF
they are using the Antivirus that have on his database this sample… but
this is another discussion… At this moment the VirusTotal says 18/57.. so is going to be better in a few hours. Now.. extracting them one by one we have a good
encrypted malware named Ursnif (GOZI/ ISFB). This malware is trying to
steal baking credentials from his victims and the hacker may have access
to the system. I will not explain the whole process at this time but the way to do that you will find it on the recent post I’ve made: https://www.prodefence.org/malware-analysis-gozi-ifsb-bank-trojan-aka-ursnif/
Useful links: Urlscan with samples VirusTotal .zip VirusTotal .js VirusTotal .bin
