German language malspam pushes Ursnif, (Wed, Jan 22nd)

This post was originally published on this site


On Tuesday 2020-01-21, a wave of malicious spam (malspam) hit various recipients in Germany.  Messages from this German malspam were email chains associated with infected Windows hosts, and these emails all had password-protected zip archives as attachments.  A closer look revealed this malspam was pushing Ursnif.

Today’s diary reviews this malspam and an Ursnif infection from one of the attachments on Tuesday 2020-01-21.

Shown above:  Flow chart for an infection from this wave of German malspam.

The malspam

See the next three images for examples from this wave of malspam.  Of note, this campaign often used 777 as the password for the attached zip archive.  In this wave of malspam, we saw passwords 111, 333, and 555.  Other passwords were probably used as well in examples we have not yet reviewed.

Shown above:  An example of the malspam from Tuesday 2020-01-21 (1 of 3).

Shown above:  An example of the malspam from Tuesday 2020-01-21 (2 of 3).

Shown above:  An example of the malspam from Tuesday 2020-01-21 (3 of 3).

The attachments

Using the password from the email, you can extract a Microsoft Word document from the password-protected zip archive.  The message in the Word document is in German, and it directs you to enable macros.  All of the Word documents are named info_01_21.doc.  Of note, in recent versions of Microsoft Office, you must disable Protected Mode and bypass some other security features to enable macros and infect a vulnerable Windows host.

Shown above:  Extracting a Word document from one of the password-protected zip archives.

Shown above:  An example of an extracted Word document.

The infection traffic

Infection traffic is typical for Ursnif infections in recent months.  Other examples of Ursnif traffic can be found here, which contains infections from 2019.  Of note, the follow-up malware for this Ursnif infection was another Ursnif variant.

Shown above:  Traffic from an infection filtered in Wireshark.

Forensics on an infected Windows host

The infected windows host contained artifacts commonly seen with these type of Ursnif infections.  See the images below for details.

Shown above:  Artifacts in seen the C:WindowsTemp directory after enabling macros.

Shown above:  Follow-up malware found on the infected Windows host.

Shown above:  Update to the Windows registry caused by Ursnif to keep it persistent on the infected host.

Indicators of Compromise (IoCs)

Infection traffic from the initial Ursnif infection:

  • 80.85.157[.]246 port 80 – emblareppy[.]com GET /gunshu/lewasy.php?
  • port 80 –[.]com – GET /images/[long string].avi
  • 80.85.153[.]218 port 80 – pzhmnbarguerite4819[.]com – GET /images/[long string].avi
  • 95.169.181[.]33 port 80 – n60peablo[.]com – GET /images/[long string].avi
  • port 443 –[.]com – HTTPS traffic
  • 45.141.103[.]204 port 443 – nk47yicbnnsi[.]com – HTTPS traffic

Request for the follow-up malware:

  • 104.193.252[.]157 port 80 – 104.193.252[.]157 – GET /fonelsid.rar

Infection traffic caused by the follow-up malware (another Ursnif variant):

  • port 80 – google[.]com – GET /
  • port 80 –[.]com – GET /
  • DNS queries for onionpie[.]at – no response from the server
  • DNS queries for tahhir[.]at – no response from the server
  • 80.249.145[.]116 port 80 – limpopo[.]at – GET /images/[long string]
  • 109.175[.]7.8 port 80 – estate-advice[.]at – GET /images/[long string]
  • 5.56.73[.]146 port 80 – sweetlights[.]at – GET /g32.bin
  • 5.56.73[.]146 port 80 – sweetlights[.]at – GET /g64.bin
  • 5.56.73[.]146 port 80 – estate-advice[.]at – POST /images/[long string]
  • 185.95.185[.]58 port 80 – estate-advice[.]at – GET /images/[long string]
  • 80.249.145[.]116 port 80 – limpopo[.]at – POST /images/[long string]
  • 51.223.47[.]15 port 80 – estate-advice[.]at – POST /images/[long string]

Malware info:

SHA256 hash: 957573dc5e13516da0d01f274ab28a141dddc8b6609fa35fde64a4900cb793e6

  • File size: 127,243 bytes
  • File name: info_12_21.doc
  • File description: Word doc with macro for Ursnif

SHA256 hash: 05ec03276cdbb36fdd8433beca53b6c4a87fa827a542c5d512dcbb2cf93023c9

  • File size: 3,651 bytes
  • File location: C:WindowsTempaxsUG8.xsl
  • File description: XSL file dropped by Word macro

SHA256 hash: c7f801c491d705cd5e6a202c7c5084874235e19b5505d8e0201111cb3789a9c8

  • File size: 265,216 bytes
  • File location: hxxp://emblareppy[.]com/gunshu/lewasy.php?
  • File location: C:WindowsTempaaNuLh.dll
  • File description: Ursnif DLL file retrieved using XSL file
  • DLL note: “C:WindowsSystem32rundll32.exe” c:WindowsTempaaNuLh.dll,DllRegisterServer

SHA256 hash: df824e3e5bb15c7b74d5e8a021f3cbcd867100a02399b9c383488c660ae920b4

  • File size: 873,472 bytes
  • File location: hxxp://104.193.252[.]157/fonelsid.rar
  • File location: C:Users[username]AppDataLocalTemp[random digits].exe
  • File description: Follow-up malware, another Ursnif variant
  • File location note: binary returned from fonelsid.rar URL was encoded/encrypted as it was sent over the network

Final words

A pcap of the infection traffic, the associated malware and artifacts, and some malspam examples can be found here.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

vSAN Thin vs Thick Provisioning

This post was originally published on this site

I’ve recently had several conversations around whether leveraging thin or thick provisioning within a vSAN datastore is necessary. Although the default vSAN Storage Policy leverages thin provisioning, it is important to understand why it is the default and the recommended best practice. Thin vs Thick Provisioning Let’s start with how vSAN defines a thin or thick provisioned disk. Within a […]

The post vSAN Thin vs Thick Provisioning appeared first on Virtual Elephant.

Amazon EKS Price Reduction

This post was originally published on this site

Since it launched 18 months ago, Amazon Elastic Kubernetes Service has released a staggering 62 features, 14 regions, and 4 Kubernetes versions. While developers, like me, are loving the speed of innovation and the incredible new features, today, we have an announcement that is going to bring a smile to the people in your finance department. We are reducing the price by 50%.

As of the 21st of January, the price will reduce from $0.20 per hour for each Amazon EKS cluster to $0.10 per hour. This new price is for all new and existing Amazon EKS clusters.

Incredible Momentum
Last year, I wrote about a few of those 62 Amazon EKS features. Features such as Amazon EKS on AWS Fargate, EKS Windows Containers support, and Managed Node Groups for Amazon Elastic Kubernetes Service. It has been a pleasure to hear customers in the comments, in meetings, and at events tell me that features like these are enabling them to run different kinds of applications more reliably and more efficiently than ever before. I also have enjoyed watching customer feedback come in via the public containers roadmap and see the Amazon EKS team deliver requested features at a constant rate.

Customers are Flourishing on Amazon Elastic Kubernetes Service
Amazon EKS is used by big and small customers to run everything from simple websites to mission-critical systems and large scale machine learning jobs. Below are three examples from the many customers that are seeing tremendous value from Amazon EKS.

Snap runs 100% on K8s in the cloud and, in the last year, moved multiple parts of their app, including the core messaging architecture to Amazon EKS as part of their move from a monolithic service-oriented architecture to microservices. In their words, “Undifferentiated Heavy Lifting is work that we have to do that doesn’t directly benefit our customers. It’s just work. Amazon EKS frees us up to worry about delivering customer value and allows developers without operational experience to innovate without having to know where their code runs.” You can learn more about Snap’s journey in this video recorded at the AWS New York Summit.

HSBC runs mission-critical, highly secure banking infrastructure on Amazon EKS and joined us on stage at AWS re:Invent 2019 to talk about why they bank on Amazon EKS.

Advalo is a predictive marketing platform company, reaching customers during the most influential moments in their purchase decision. – Edouard Devouge, Lead SRE at Advalo says “We are running our applications on Amazon EKS, launching up to 2,000 nodes per day and running up to 75,000 pods for microservices and Machine Learning apps, allowing us to detect purchase intent through individualized Marketing in the website and shops of our customers.”

With today’s announcement, all the benefits that these customers describe are now available at a great new price, ensuring that AWS remains the best place in the world to run your Kubernetes clusters.

Amazon Elastic Kubernetes Service Resources
Here are some resources to help you to learn how to make great use of Amazon EKS in your organization:

Effective Immediately
The 50% price reduction is available in all regions effective immediately, and you do not have to do anything to take advantage of the new price. From today onwards, you will be charged the new lower price for the Amazon Elastic Kubernetes Service service. So sit back, relax, and enjoy the savings.

— Martin

Become a VMware NSX Expert Today

This post was originally published on this site

If you’ve wanted to learn about VMware NSX, a L2-L7 networking and security virtualization platform entirely in software, and didn’t know where to start, this is the guide for you. Already an NSX user, and want to improve on your skills? This is also a great resource to becoming an NSXpert! Reintroducing the VMware NSX

The post Become a VMware NSX Expert Today appeared first on Network Virtualization.

Monitoring vSAN Performance

This post was originally published on this site

Determining the root cause of performance issues in any environment can be a challenge, but with environments running dozens, if not hundreds of virtual workloads, pinpointing the exact causes, and understanding the options for mitigation can be difficult for even the experienced administrator. Since a vSAN cluster is made up of locally-attached disks, there are

The post Monitoring vSAN Performance appeared first on Virtual Blocks.

vExpert Cloud Management December 2019 Blog Digest

This post was originally published on this site

Every month we publish a digest of blogs created by our vExpert Cloud Management Community. These blogs are written by industry professionals from around the vCommunity and often feature walkthroughs, feature highlights, and news for vRealize Operations, vRealize Network Insight, and vRealize Log Insight. The vExpert title is awarded to individuals who dedicate their time outside

The post vExpert Cloud Management December 2019 Blog Digest appeared first on VMware Cloud Management.

Ansible, Windows and PowerShell: the Basics – Part 13, Environment Variables

This post was originally published on this site

In Part 13 of this series we’ll continue our journey with Ansible, Windows and PowerShell and look at how to handle environment variables in Windows. In this example we’ll look at a common scenario where you need to manually create the JAVA_HOME environment variable and add it to the existing PATH environment variable because the … Continue reading Ansible, Windows and PowerShell: the Basics – Part 13, Environment Variables

VMware Certifications and Badges…Working Together to Prove Expertise

This post was originally published on this site

Certifications and digital badges are not so different, but they each serve a specific purpose. Working together, they provide a learning journey that can lead to expanded expertise and more opportunities.   Certifications represent a benchmark across a set of broader solutions, such as multi-cloud solutions, virtual networking or the digital workspace. Certifications prove expertise

The post VMware Certifications and Badges…Working Together to Prove Expertise appeared first on VMware Education Services.

The VMware Fusion 20H1 Tech Preview is now available for download

This post was originally published on this site

So what‘s New with Fusion 20H1 Tech Preview?

Project Nautilus – Running containers directly with VMware Fusion

VMware Fusion 20H1 Tech Preview now enables native container runtime support. A built-in command line interface “vctl” for running containers is provided for containerized application developers. You can run container images directly with vctl provided by Fusion, pull an image from remote repository and push a local image to remote repository.

USB KEXT removal

The Fusions Team has reorganized the USB Passthrough stack and it doesn’t rely on a kernel extension to capture USB devices from the MacOS host anymore. Please visit VMware Fusion Tech Preview community, download the build and provide feedback. They would love to learn about how Fusion can further improve to help your container applications development and your ideas about what we should do next. Also, they would like to know if you have any problems using your USB devices. 

Fusion 20H1 Tech Preview User Guide

Getting Started with Project Nautilus

VMware Fusion Blog

VMware Fusion Tech Preview 20H1: Introducing Project Nautilus

This post was originally published on this site

It’s Tech Preview time, and this year we’re doing things a bit differently. Let’s dive in! New Decade, New Approach to “Beta” Here on the Fusion team, we want to get features in the hands of customers faster than ever before, and we want to iterate and refine things with the guidance of our users, […]

The post VMware Fusion Tech Preview 20H1: Introducing Project Nautilus appeared first on VMware Fusion Blog.