TLP AMBER ANNOUNCEMENT:Wapack Labs recently identified a large scale Ursnif campaign, affecting multiple companies in the logistics, finance, and IT sectors. The campaign, which began in May 2017, consists of spear-phishing emails with a malicious document attached that, when opened, delivers malware identified as Ursnif. Active since 2012, Ursnif malware has undergone several variations. The current variant implements data exfiltration and sends encrypted victim data to a C2 server. By using compromised accounts and exploiting existing trust relationships, the actors are likely able to achieve a high open-rate. While additional user-interaction is required to enable the malicious macro, it probably resulted in a few installations because the delivery email was not unsolicited. Additionally, the clever social engineering exhibits a moderate to advanced level of tradecraft by the actor. Tactics, Techniques, and Procedures (TTPs) and shared infrastructure in this campaign suggest a single actor or group with Chinese attribution executed this campaign...READ MORE
Wapack Labs has cataloged and reported extensively on spear-fishing, Ursnif, and China in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
WWW.WAPACKLABS.COM
This TLP AMBER report is available only to Red Sky Alliance members.
