2019-07-29 - GOZI/ISFB (URSNIF) INFECTION WITH PUSHDO

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2019-07-29-DHL-themed-Ursnif-malspam-examples.zip   195 kB (194,702 bytes)
• 2019-07-29-Ursnif-infection-with-Pushdo.pcap.zip   6.5 MB (6,519,413 bytes)
• 2019-07-29-Ursnif-and-Pushdo-malware-and-artifacts.zip   2.5 MB (2,479,505 bytes)
• 2019-07-29-Ursnif-with-Pushdo-IOCs.txt.zip   1 kB (1,040 bytes)

NOTES:

• First saw info about the malspam from this tweet.

 

Shown above:  Infection traffic filtered in Wireshark.

 

Shown above:  Fiddler shows info on the HTTPS traffic generated by the spreadsheet macro.

 

Shown above:  Filtering for spambot traffic in the pcap.

 

Shown above:  One of the emails sent out from my newly-infected host (part 1 of 2).

 

Shown above:  One of the emails sent out from my newly-infected host (part 2 of 2).

 

Click here to return to the main page.