2019-05-03 - QUICK POST: (GOZI/ISFB) URSNIF INFECTIONS WITH DRIDEX OR NYMAIM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2019-04-29-Word-docs-with-macro-for-Ursnif-all-named-info_04.29_doc.zip   787 kB (787,244 bytes)
• 2019-04-30-Word-docs-with-macro-for-Ursnif-all-named-info_04.30_doc.zip   913 kB (913,255 bytes)
• 2019-05-01-Word-docs-with-macro-for-Ursnif-all-named-info_05.01_doc.zip   1.1 MB (1,119,873 bytes)
• 2019-05-02-Word-docs-with-macro-for-Ursnif-all-named-info_05.02_doc.zip   1.2 MB (1,155,389 bytes)
• 2019-05-03-Word-docs-with-macro-for-Ursnif-all-named-info_05.03_doc.zip   629 kB (629,082 bytes)

• 2019-05-01-Ursnif-infection-with-Dridex.pcap.zip   862 kB (862,193 bytes)

• 2019-05-03-Ursnif-infection-with-Nymaim.pcap.zip   8.3 MB (8,317,054 bytes)
• 2019-05-03-Ursnif-and-Nymaim-malware-and-artifacts.zip   5.7 MB (5,670,809 bytes)

NOTES:

• This is a data dump for activity from malspam with attached Word docs that have macros for Ursnif.
• I most often see Dridex as the follow-up malware for Gozi/ISFB (Ursnif), but today (Friday) I saw Nymaim as the follow-up malware.
• I searched VirusTotal Intelligence for Word docs with macros for Ursnif this week, which I've included with this blog post.

 

Click here to return to the main page.