Australian Health Insurance-Themed Spam Spreads Ursnif

Analysis and Insights by Monte De Jesus

Trend Micro researchers encountered a spam campaign referencing the Australian health insurance brand Medicare. The attachment, which Trend Micro detects as Trojan.X97M.URSNIF.THDAEBO, downloads the malicious file (detected as TrojanSpy.Win32.URSNIF.THDAEBO). The campaign aims to spread the spyware Ursnif, also known as Gozi.

The email headers pertain to payment transactions with the words “Statement,” “Invoice,” or “Transaction,” and include a supposed transaction number:

  • RE: Statement 21833187
  • RE: Invoice 187790985
  • RE: Transaction 1214860391

The email contains an attached encrypted spreadsheet (.xls) file (detected by Trend Micro as Trojan.X97M.URSNIF.THDAEBO) that uses “Medicare” in its file names, as listed below:

  • Medicare - 1214860391.xls
  • Medicare - 187790985.xls
  • Medicare - 21833187.xls
  • Medicare - 577725932-577725932.xls
  • Medicare - 656187332.xls
Medicare is mentioned to gain interest and the trust of its recipients, especially those who transacts with the company.

When opened, the attachment shows the logo of Medicare (Australia) and instructions to Enable Editing and Enable Content.

Figure 1. Healthcare-Themed Spam Attachment

This trojan accesses the website hxxps://www.{BLOCKED}contracting.com/ray/pom.php. It then downloads a malicious file (Ursnif) from the site and saves it using the name %All Users Profile%\qmbvlcq.exe (detected as TrojanSpy.Win32.URSNIF.THDAEBO).

This malicious file steals the following data, which can possibly be abused for further attacks:

  • Computer Name
  • Machine Globally Unique Identifier (GUID)
  • Operating System Type
  • Operating System Version
  • System Uptime
  • Username

The file then sends the information via HTTP POST to the following URL:

  • hxxps://{BLOCKED}cos.xyz/index.htm

Earlier this year, Ursnif has been spotted being used in another campaign targeting users in Japan.


Defense Against Spam Campaigns

Threat actors use current affairs such as the Covid-19 outbreak in their social engineering strategies to bait even the most careful email users.  Spam campaigns can propagate malicious files such as Ursnif and other types of malware and even ransomware. Users can defend against these threats by following these best practices:

  • Do not download links and click attachments from emails sent by unfamiliar sources.
  • Spot telltale signs of spam like bad grammar, misspellings, and spoofed email addresses.
  • Verify the legitimacy of emails from official sources through other means of communication, such as phone calls.

The following Trend Micro solutions for email-based threats are recommended for a more proactive defense against spam:


Indicators of Compromise

 

URLs

  • hxxps://www.{BLOCKED}contracting.com/ray/pom.php
  • hxxps://{BLOCKED}cos.xyz/index.htm
SHA-256 Trend Micro Pattern Detection
35a5cb85a5fbea3fdbd568aacedca42c4488877c1c2ee479fe21c1534e070866 TrojanSpy.Win32.URSNIF.THDAEBO
3f713f94f2c6c981a93cc9e01894da2da3a144829093619eb960f469e245fa17 Trojan.X97M.URSNIF.THDAEBO
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Cyber Attacks, Spam