Pierluigi Paganini
February 07, 2019
Another wave of Ursnif attacks hits Italy.
Ursnif is one of the most active banking trojans. It is also known as GOZI, in fact, it is a fork of the original Gozi-ISFB banking Trojan that got its source code leaked in 2014 updating and evolving Gozi features over the years. Also in this variant, Ursnif uses weaponized office document with a VBA macro embedded that act as a dropper and multi-stage highly obfuscated Powershell scripts in order to hide the real payload. In addition, this Ursnif
Ursnif is one of the most active banking trojan. It is also known as GOZI, in fact it is a fork of the original Gozi-ISFB banking Trojan that got its source code leaked in 2014 updating and evolving Gozi features over the years. Also in this variant, Ursnif use weaponized office document with a VBA macro embedded that act as a dropper and multi-stage highly obfuscated powershell scripts in order to hide the real payload. In addition, this Ursnif use also steganography to hide the malicious code and avoid AV detection.
Moreover, this variant uses an exotic process injection technique called AtomBombing (through QueueUserAPC) which exploit Windows AtomTable, in order to inject into explorer.exe in a more stealthier way, because no remote threads are created in the target process.
The initial infection vector appears as a corrupted Excel file, inviting the user to enable macro execution to properly view the contents of the fake document, typically purchase order, invoice and so on.
Extracting the macro code, shows the malware, in the first instance, checks the victim country using the Application.International MS Office property. If the result corresponds to Italy (code 39), the macro executes the next command using Shell function.
The remaining functions of the macro are used to prepare the shell command to launch, concatenating several strings encoded in different ways (mainly in decimal and binary). The resulting command contains a huge binary string, which will be converted into a new Powershell command using the function:
[Convert]::ToInt16() -as[char]
As shown in the above figure, the malware tries to download an image from at least one of two embedded URLs:
The apparently legit image actually contains a new Powershell command. The weaponized image is crafted using the Invoke-PSImage script, which allows to embeds the bytes of a script into the pixels of a PNG file.
Et voilà, another obfuscated Powershell stage. The payload is encoded in Base64, so it is easy to move on and reveal the next code.
Basically, it seems hexadecimal encoded which can be decoded through the previous [Convert]::ToInt16 function.
The final code is:
It executes another check against victim’s country, ensuring it is Italy. The information derives from the command:
Get-Culture | Format-List -Property *
If the check is positive, the script will download an EXE payload from http://fillialopago[.]info/~DF2F63, store it in %TEMP%\Twain001.exe and then execute it.
At the analysis time, the file is not detected by most antiviruses:
Despite its low detection, this executable is a classic Ursnif loader which is responsible to contact the server to download malicious binary which will be injected into explorer.exe process. It uses the function IWebBrowser.Navigate to download data from its malicious server felipllet[.]info with an URI path that looks like a path to a file video (.avi).
The server responds to this request sending encrypted data, as show in the following figure
After a decryption routine, all useful data is stored into registry keys at HKCU\Software\AppDataLow\Software\Microsoft\{GUID}.
The regvalue named “defrdisc” (which reminds to a legit Disk Defragmentation Utility) contains the command will be executed as next step and at Windows startup, as displayed below.
The command’s only goal is to execute the data contained into “cmiftall” regvalue through Powershell engine.
| C:\Windows\system32\wbem\wmic.exe /output:clipboard process call create “powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty ‘HKCU:\Software\AppDataLow\Software\Microsoft\94502524-E302-E68A-0D08-C77A91BCEB4E’).cmiftall))” |
The “cmiftall”’s data is simply a Powershell script encoded in Hexadecimal way, so it is possible to reconstruct its behavior.
So, using the Powershell script stored into regkey (shown above), Ursnif is able to allocate space enough for its malicious byte array, containing the final payload, and to start it as legit process’ thread through QueueUserAPC and SleepEx calls.
The Ursnif’s complete workflow is shown in figure:
Finally, from data contained into last script’s byte array, it is possible to extract a DLL which corresponds to what Ursnif inject into explorer.exe process.
This DLL seems to be corrupted, as stated by some static analysis tools:
However, when it is loaded in memory using APC injection technique, it works with no problems. Submitting the file to VirusTotal, the result is devastating: 0/56 anti-malware detects it.
As stated first by us in the previous Ursnif analysis in December 2018 and after by Cisco Talos Intelligence in January 2019, also this new Ursnif sample uses the same APC injection technique to instill its final binary into explorer.exe process, along with obfuscation and steganography in order to hide its malicious behaviour. Ursnif is more active and widespread than yesterday, the contacted C2 is not reachable but the malware implant is still alive due to the fact that the crooks are constantly changing their C2 to diverting tracking and analysis.
Yoroi ZLab – Cybaze researchers are continuing the analysis of this undetected DLL in order to extract information and
Further information, including IoCs and Yara rules are reported in the analysis published on the Yoroi Blog.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″] [adrotate banner=”13″]
Data Breach / November 21, 2024
