Sign in Create account

#ursnif — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #ursnif, aggregated by home.social.

🛡 [email protected]/:~# :blinking_cursor: @[email protected] · 2024-03-19 · 09:57 UTC

Cybercriminals are using #Scalable_Vector_Graphics (#SVG) files to deliver malware because SVG is an XML-based vector image format for two-dimensional graphics that supports interactivity and animation. SVG files can natively contain #JavaScript code, which can be executed by browsers when the SVG is loaded.
They do this by leveraging the #AutoSmuggle tool introduced in May 2022. This tool embeds malicious files into SVG/HTML content, bypassing security measures. Notably, SVG files were exploited to distribute #ransomware in 2015 and the #Ursnif malware in January 2017. A significant advancement occurred in 2022, with malware like #QakBot being delivered through SVG files containing embedded .zip archives. AutoSmuggle campaigns in December 2023 and January 2024 delivered the #XWorm #RAT and #Agent_Tesla #Keylogger, respectively, showcasing a shift towards embedding executable files directly within SVG files to evade detection by Secure Email Gateways (#SEGs). This evolution underscores the need for updated security measures to combat sophisticated malware delivery methods.
The misuse of SVG files for malware distribution dates back to 2015, with ransomware being one of the first to be delivered through this vector.
Original report: Cofense

#scalable_vector_graphics #svg #javascript #autosmuggle #ransomware #ursnif
D3Lab @[email protected] · 2023-10-13 · 15:06 UTC

Campagne #Malware #Italy Week 41
🔥 Persistenti
#Ursnif: #AgenziaEntrate
#DarkGate: Resend link a ZIP
#AgentTesla: Pagamento
💣 D'eccezione
#RemcosRat: Pagamento
#Lokibot: Bank
#ScreenConnect: Fattura PDF
#mwitaly

#malware #italy #ursnif #agenziaentrate #darkgate #agenttesla
Bob Carver @[email protected] · 2023-03-13 · 19:06 UTC

The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html #CyberSecurity #GoogleAds #BATLOADER #malware #VidarStealer #Ursnif

#cybersecurity #googleads #batloader #malware #vidarstealer #ursnif
imlordoftherings @[email protected] · 2022-12-02 · 19:12 UTC

Found in the wild! Allegedly Gozi malware stage 1.
Attack path:
phishing -> xlsx macro -> chechoa[.]com -> commandline calc.exe -s 6636702. -> Stage 2
https://bazaar.abuse.ch/sample/eef902138fc1ee637b41bbecd442a64b691b5b9aae15d2c822ac983ef93e4616/
https://www.virustotal.com/gui/file/eef902138fc1ee637b41bbecd442a64b691b5b9aae15d2c822ac983ef93e4616/detection/f-eef902138fc1ee637b41bbecd442a64b691b5b9aae15d2c822ac983ef93e4616-1669969590
#gozi #ursnif

#gozi #ursnif
Germán Fernández :verified: @[email protected] · 2022-11-21 · 06:39 UTC

@th3_protoCOL
Current #payloads:
-ZipCosdaz.exe (#RedLine)
C2: 193.56.146.114:44271
Botnet: NewBuild
- ZipCosdaz1.exe (#Ursnif aka #Gozi)
C2 servers:
45.11.182.97
79.132.128.108
91.241.93.98
79.132.128.109
91.242.217.28
91.241.93.111
Botnet: 2503
- ConsoleDWS.exe (Destroy Windows 10 Spying)
GitHub repo: https://github.com/spinda/Destroy-Windows-10-Spying
+ And another download URL: archiverportal[.]space/porn.php

#payloads #redline #ursnif #gozi