Ursnif campaign with the macro-enabled documents - Part 1
Overview During the first half of February 2019 there was an increase in occurrences of the Spam messages containing attached documents with the names in the form “Request” followed by the number, like “Request15.doc”. These documents contain slightly obfuscated macros which lead to execution of the PowerShell downloader. This PowerShell downloader connects to the domains registered in Russian Federation and resolved to the Russian IP addresses. It seems that on these servers are hosted malicious content, in many cases detected as the Ursnif malware.
“Hidden” Bundpil
Introduction My friend have got one USB stick infected with malware, at least that’s what one AntiVirus product reported about it. But strange thing happen, it seemed that the detected file was not present on this USB key. Not only the detected file, but also all of the user data was missing. Only one .lnk file was present in the root of the filesystem. So, this is point where our investigation begins…