Australian Health Insurance-Themed Spam Spreads Ursnif

Analysis and Insights by Monte De Jesus

Trend Micro researchers encountered a spam campaign referencing the Australian health insurance brand Medicare. The attachment, which Trend Micro detects as Trojan.X97M.URSNIF.THDAEBO, downloads the malicious file (detected as TrojanSpy.Win32.URSNIF.THDAEBO). The campaign aims to spread the spyware Ursnif, also known as Gozi.

The email headers pertain to payment transactions with the words “Statement,” “Invoice,” or “Transaction,” and include a supposed transaction number:

• RE: Statement 21833187
• RE: Invoice 187790985
• RE: Transaction 1214860391

The email contains an attached encrypted spreadsheet (.xls) file (detected by Trend Micro as Trojan.X97M.URSNIF.THDAEBO) that uses “Medicare” in its file names, as listed below:

• Medicare - 1214860391.xls
• Medicare - 187790985.xls
• Medicare - 21833187.xls
• Medicare - 577725932-577725932.xls
• Medicare - 656187332.xls

When opened, the attachment shows the logo of Medicare (Australia) and instructions to Enable Editing and Enable Content.

Figure 1. Healthcare-Themed Spam Attachment

This trojan accesses the website hxxps://www.{BLOCKED}contracting.com/ray/pom.php. It then downloads a malicious file (Ursnif) from the site and saves it using the name %All Users Profile%\qmbvlcq.exe (detected as TrojanSpy.Win32.URSNIF.THDAEBO).

This malicious file steals the following data, which can possibly be abused for further attacks:

• Computer Name
• Machine Globally Unique Identifier (GUID)
• Operating System Type
• Operating System Version
• System Uptime
• Username

The file then sends the information via HTTP POST to the following URL:

• hxxps://{BLOCKED}cos.xyz/index.htm

Earlier this year, Ursnif has been spotted being used in another campaign targeting users in Japan.

Defense Against Spam Campaigns

Threat actors use current affairs such as the Covid-19 outbreak in their social engineering strategies to bait even the most careful email users.  Spam campaigns can propagate malicious files such as Ursnif and other types of malware and even ransomware. Users can defend against these threats by following these best practices:

• Do not download links and click attachments from emails sent by unfamiliar sources.
• Spot telltale signs of spam like bad grammar, misspellings, and spoofed email addresses.
• Verify the legitimacy of emails from official sources through other means of communication, such as phone calls.

The following Trend Micro solutions for email-based threats are recommended for a more proactive defense against spam:

• Trend Micro™ Email Security – Scrutinizes email headers and content to detect spam and other email-based threats.
• Trend Micro™ Deep Discovery™ Email Inspector – Analyzes patterns and reputation to detect malicious files that come with spam emails.
• Trend Micro™ Cloud App Security – Conducts sandbox malware analysis and detects impersonation of writing styles in emails.

Indicators of Compromise
 

URLs

• hxxps://www.{BLOCKED}contracting.com/ray/pom.php
• hxxps://{BLOCKED}cos.xyz/index.htm