On the morning of December 12th, 2018, the CRITICALSTART CYBERSOC began seeing the resurgence of a prolific phishing campaign. This campaign included malware variants such as DRIDEX & URSNIF, both common Banking Trojans used in macro-based attacks. These files are observed hiding with macro-enabled documents or downloaded after the code executes, requesting the host reach out to a C2 domain. While these aren’t new techniques, the malicious files (and their variants) can still be very effective on unprotected devices. Within the existing tool suite the CRITICALSTART CYBERSOC operates on, we’ve seen the detection and remediation of these malicious files, specifically through EDR and NextGen AV Platforms (machine learning algorithms). This is a great time to verify the security controls across your organization and ensure your policies are up to date for both Endpoint Protection Platforms and Exchange/E-Mail. Additionally, user awareness is the most significant defense against phishing and similar attacks. Being transparent with the user base on how these attacks operate and disguise themselves creates vigilance, and grows a culture of security awareness.

CRITICALSTART’s CYBERSOC has seen it across multiple MDR Clients within the same time-frame, over the last 24hrs. 

1. C2 Identifiers:

1. 1. https://www.virustotal.com/#/ip-address/46.29.160.75

2. Malware Observed:

2. 1. URSNIF “3152”
   2. DRIDEX “3101”

3. Attributes: Identifiable through Exchange / Proofpoint

3. 1. PowerShell
   2. Office VBA Macro
   3. Banking Trojan

4. Techniques: Identifiable through EDR and EPP agents locally on the device(s)

4. 1. Emailed Doc
   2. Word Requests “Enable Macros”
   3. Word Spawn cmd.exe
   4. Cmd.exe runs encoded PowerShell with C2 location
   5. Device pulls directed file (URSNIF/DRIDEX)