A few days ago, the researchers of ZLab Yoroi-Cybaze dissected another attack wave of the infamous Ursnif malware, also known as Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014. Ursnif/Gozi is active from over a decade and was one of the most active malware listed in 2017 and 2018. Today it constantly reaches
The malware has evolved over time and has added functionality, in fact, apart from collecting banking credentials it is also able to collect keystrokes, cryptocurrencies, screenshots, webmail, integrating spyware features together with banking Trojans features.
During their investigations, researchers of ZLab Yoroi-Cybaze intercept a new variant of this malware delivered through malspam campaign towards Italian companies. This latest Ursnif variant shows the same modus operandi: a malicious document in which is embedded an highly obfuscated VBA macro that acts as a first stage dropper.
According to Microsoft since its appearance in 2009, Ursnif has shown incredible capabilities to steal users’ credentials, credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites while remaining more stealthiness as possible. It uses many advanced trick to evade several sandboxes environment and today is the most popular malware spreading in the wild. ZLab researchers have studied many samples in the past to profile the techniques used by the malware, to track its evolution and sophistication over time.
First analyzed sample backs to January 2018. That Ursnif variant has delivered through a macro document and consist of a few obfuscated stage and a process hollowing injection technique to execute its payload. After a few months, in June 2018, we find evidence that Ursnif was delivered through Necurs Botnet. The latter is one of the most famous botnets known nowadays and it has been used to deliver this Ursnif variant. The hidden link among Necurs and U
The sample spread in February 2019 use two new features: the first one is a several obfuscated powershell stages in order to evade AVs and reduce its detection, the second one is the use of steganography technique. The latter permit to hide code into a legit image manipulating specific bits. Next, another code perform a decryption and execution of malicious code into the victim machine.
In March 2019 another weaponized variant of Ursnif has been detected: in this case, to spread the malicious software, a google drive document combined with an obfuscated VBA Script is used over steganography. The last sample shown in previous table is similar to February’s sample but include another interesting feature: in this case a first VBS stage is encrypted using the Vigenere cipher; this allow to hide its malicious code and evade many sandboxes environment. We are observing a continuous evolution due to several features added in few months, this is an indicator that this malware is still in development and, observing also features fragmentation among variants lets us think, with high confidence, that there are various fork of the same codebase spreading in the wild.
Sha 256 | 34669dde1e33ec96147540433f60e90056d38df1e3bb952fdc600e979d74f690 |
Threat | Ursnif dropper |
Descrizione Breve | Excel with macro |
ssdeep | 1536:hn1DN3aMePUKccCEW8yjJTdrBX/3t4k3hOdsylKlgryzc4bNhZFGzE+cL4LgldAK:hn1DN3aM+UKc |
Table 2: information about Ursnif dropper
The most widespread infection vector observed were the macro enabled office documents, and this variant uses the same technique too. The malicious document looks like an invoice that requires enabling macros in order to proper view its contents.
The whole infection chain begins when the macro is enabled. This Ursnif variant presents a macro protection technique technique that it’s not present in previous variants, in order to make the analysis hard avoiding manipulation and extraction. After extraction of OLE object inside the document we are able to see the content of macros and their associated name, as shown in the following figure:
Now it is possible to isolate an interesting macro in order to further analyze it in detail. It contains a piece of VBA that was extracted.
In a different way than the past waves, the malware author added a “VigenereDo” function to decrypt and reconstruct the initial infection step, using an algorithm based on the Vigenère cipher, a classical polyalphabetic cipher.
The resulting command text is obtained combining the obfuscated strings defined in “jeneric” function with other strings (not visible in figure) and after further some manipulations is possible to spot the whole script will be executed. When user enable macros, the “wmic.exe” process run the following code through the “wmic ‘PRocesS’ “Call” ‘CREATe’” command.
So, at this point, several powershell deobfuscation steps occurs. First of all, every value (“${1F}”) defined in the ps string is replaced with content stored into “$1F” variable corresponding to “,” (comma) character. After having replaced these values, the script is run through “iex” primitive invoked by “.($psHomE[4]+$pshOMe[34]+’X’)” and next through “( “. ( `$ShELLid[1]+`$shelLID[13]+’X’)”. The complete deobfuscated script is the following.
First of all the malware checks the current TimeZone in order to verify if it is set on +01:00. If true, it download the next stage from “hxxps://i[.]imgur[.]com/TVkWKQa[.]png”. As well as in other recent attacks, the downloaded image hides another powershell stage leveraging steganography techniques.
The malware code iterates over each pixel of the image and through several mathematical binary operation converts grabs the two Least Significant Bits of every byte of the picture, concatenating them with other LSBs to produce a complete Powershell code.
Et voilà, another URL is found but, before download the next stage from it, the malware perform a further checking in order to evaluate the value returned by “CurrentCulture”.
If check is verified, once again through the “IEX” primitive it try to download other components named “ose000000.exe” from “hxxps://nuovalo[.]site/RGI82B3.-tmp-tmp”, saving it into “%TEMP%” folder. In the following table are shown the information about sample.
Sha 256 | 0f2245eec921949d9a1d8e13cab747a7fbb137aaee3b9ddacee0681c8b2e4fa8 |
Threat | Ursnif |
Descrizione Breve | Final payload of Ursnif banking malware |
ssdeep | 6144:LCLAh6EzJYJtmavTXyulcNcyuo8PGJMewXo79y:L54EzetmCb3cNc3o0PR4 |
Table 3: information about Ursnif final payload
This latest Ursnif wave keeps showing a complex infection process. The starting point of the entire chain was the usual Visual Basic macro, this time protecting its code with a Vigenère cipher, responsible of the decryption of the additional Powershell stage launched abusing the Windows Management Infrastructure (WMI) functionalities, decoupling it to the original infection tree and then completing the infection chain exploiting steganography techniques to bypass network detection and several environmental check, to ensure the malware is running into expected machines confirming the highly evasive trend of this aggressive malware threat.
Further technical details, including Indicators of Compromise, are reported in the analysis published on the Yoroi blog.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate banner=”13″]