On the 9th of October our customers started reporting the same kind of incident over the span of a few hours. The identified activity appears to be linked to the banking Trojan Ursnif, a long active malware, whose roots can be traced back to 2007 together with ZeuS and SpyEye, still with strong infection capabilities in each of its campaigns. The attack vector was a malicious email with a Word document attached.
After the initial notifications our Threat Intelligence team moved on to start a more in-depth investigation to understand the relationship with previous campaigns that we have been monitoring through the second semester of the year.
First Assessment
While we cannot confirm that the campaign was focused on a particular geographical area, we noticed that most of the analysed files are addressed to an Italian speaking audience, a sign suggesting that Italy is under the radar of the attackers. Other than in Italy, ReaQta has also identified malware download locations in Russia, Ukraine, Netherlands and the United States. The analysis will focus on the threats received by our Italian customer on the onset of the attack.
Ursnif Infection strategy
The DOC file that’s part of this Ursnif campaign asks the user to enable macros due to “the document being created with a previous version of Microsoft Office Word”. The macro is executed when the document is opened if macros are enabled, otherwise the malicious code will run once the “enable content” button has been clicked.
The MS Word macro runs a command prompt invoking powershell with the parameter -ec, used to decode the instructions to launch the download of the payload (wync6.xap). The following image shows clearly the chain of processes after the execution of the MS Word document macro:
In this specific Ursnif campaign the payload is generated using an increasing sequence of number going from 1 to 7 (e.g.: wync1; wync5; wync7) with the extension “.xap”.
After the Ursnif executes cmd.exe we check its activity from ReaQta-Hive’s behavioral tree:
Cmd.exe spawns powershell.exe (analysis window #1), that in turn drops and run an executable (analysis windows #2,#3), which is the final payload: Ursnif. The interesting behaviour begins after the final payload is executed as it creates a registry key where the next infection stages are stored.
After creating the registry key, Ursnif starts a process by using the command stored in the “dhcpport” value:
`C:\\Windows\\system32\\wbem\\wmic.exe /output:clipboard process call create \"powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\B53CC69F-9026-AF48-42B9-C45396FD3837').bthppast))`
We can reconstruct the entire storyline from the screenshot below:
The command runs powershell that will in turn read and run, using invoke-expression, the content of the value “bthppast” (analysis window N#1):
The value data is a PowerShell script, executed directly in memory. Without going deeper, the fileless attack injects code in Explorer (analysis window N#2) after selecting a .dll file that matches the current architecture, the values can be “Client32” or ”Client64”.
After the injection, the malicious code in explorer.exe tries to connect back to the C2 (analysis window N#7).
C2 infrastructure
On all the servers analysed we noticed the same patterns and files structure. The base directory used appears to be common across the same campaign, there are also three sub-directories files used to collect statistics information like:
- Malware downloaded from potential victims
- Victims IP address
- Victims countries
- Blocked IP address
- Bots HID
- Bot version
- Uptime
The root directory is customizable in the crimeware and in the past we’ve found Ursnif threat campaigns with the same file structure but under different root folder names like: “TOL”, “TYJ”, “YUY”, “MXE”, etc. It appears that the root folder names are not reused across different campaigns and they remain in use only for a limited amount of time.
The names assigned to the root folder of the distribution servers appear to be tightly linked to the each running campaign. The list below, collected from August 2018 to today, shows the various campaigns tracked with their respective unique names.
- “WES” from November 5 to the present.
- “TJY” from October 29 to November 5.
- “RUI” from October 16 to October 28.
- “TNT” from August 22 to October 11.
- “TOL” form October 1 to October 6.
- “MXE” from September 24 to October 1.
- “VRE” from September 20 to September 21.
- “DAB” from September 17 to September 21.
- “XOE” from September 13 to September 14.
- “RTT” form September 6 to September 12.
- “YUY” from August 24 to September 6.
- “TST” from August 20 to August 22.
- “FLUX” from August 13 to August 15.
Configuration of the Ursnif executable, in the image below, shows information like: bot version, botnet group ID, DGA (Domain Generation Algorithm) data, C2, etc.
The payload is downloaded and automatically executed, soon after the payload establishes a connection with one of the C&C hardcoded addresses. As a part of the data exfiltration process, .avi files (random filename) are downloaded from a hardcoded address, the URL contains encodes target-related information.
This C&C is managed by the well-known crimeware used by the original Ursnif gang whose login can be found in “wifilhonle.com/auth/login”:
Ursnif monitors successfully infected targets from the “clients” section of its panel. The page shows statistical information related to the of the victim’s computer, among these: the IP address and the country where the infected computer is located, information information and trojan version.
Ursnif Distribution
As we mentioned at the beginning, the C2 are concentrated in Ukraine, Russia, Netherlands the United State and Italy.
The following graphs shows statistics about the download rate of unique samples per hour from the hosted servers, the analysis has been run from November 7 to November 12, 2018 and it’s based on a total of 162.493 samples served from the malicious servers. Also interesting to note the fact that every single sample downloaded is auto-patched before delivery, this way every binary presents a unique hash: possibly an evasion technique to bypass simple hash-based IOC indicators.
Final words
Without any doubt, Ursnif trojan continues to be one of the most active threats today. The combination of lolbins and file-less attack makes it harder to detect and helps Ursnif to pass under the radar of the AV software more easily.
Ursnif is a good example of why Artificial Intelligence driven behavioral analysis plays a central role in the proactive detection of this kind of threats, where a delayed response means the loss of important information for the business.
With ReaQta-Hive we help our customers to detect new threats, and variants thereof, reconstructing information about their behaviors and the associated risk factors, enabling them to detect, alert and stop quickly potential threats before any damage is realized.
IOCS
SHA1 DOC: 8d9c9a8d24ff4e41c19c8583e3c5c48db52f147e > Logisticaservicesrl.doc 963CD36B2FBDC70F9B3AF4ED401A28BEB6F969F9 > GRobotica.doc EDF48AC80E2505241BB4A0378363A3C79FD864B8 > Indalgo.doc F31155687987ACE4D9F547E069789645680D7272 > Network_Connections.doc ae4e6c49d120fa07c1112e5b70cd078654a1b009 > Logisticaservicesrl.doc b902ccbb81c300da92c7428fc30cdc252233249e > Conform.doc cc42e4b4a0d1a851367eb5265b4408c64aa56dab > Ligoratti.doc e6934b62bab58efcd64db4c9774b0f9d908715a1 > MetroBlu.doc SHA1 EXE: 05450C90E23CFBDFC5122D0004A6CA1A51E769C5 > praf3.xap 2600D8F9301DB916949E0D46872768022F808A7C > ledo5.xap 28B78C0B4C52222D3F6BDB9583D7EEF82EBFCEC4 > crypt_2_3105.exe 3AB9EE0B9B8E3098E1252293FC7D03E43CC69590 > hereye.exe 4E36269327981F417D59AFDED3DDE2D11BA99149 > ledo6.xap 6119095DFC0B80C6948B50E13EACAFF8929B56E3 > ledo2.xap 6502563541E8830D418A3877324F42DF0B510CE5 > ledo3.xap 7F704D1CC07575854E98783AF059371E2FCCC4E8 > ledo1.xap 99405F84372E8CBDF8B85D6C5F749FF3FFEA2764 > praf1.xap A1C13D9922C58C38E713D3EAFCA70A2A2589C7CC > ledo4.xap A1DEC1D4523E2E6670F6E45A3924DC4C0121CFFE > ledo7.xap AC4B5DD954EFCC11FB2AFAB0FDE27476CB0615CF > praf5.xap AEB75D73E802A7AF08400CED4252CA4455C0DA82 > praf6.xap C9D09E8767344EC32FD6732173D9557F9C74A802 > praf7.xap CBD009F09109B38C4BEC3C55E827C8FCED057D2E > praf2.xap DEE85E063B55D8CF829950E61285078E1BD35164 > crypt_3100.exe E5C48455F03C18F04D581AE1F95C41C81F653EF2 > praf4.xap EB3100700F3D95B21892B045A5FF32EBAD38A831 > wync1.xap PAYLOAD SERVER & C2: hxxp://46.17.47.99/ hxxp://cythromatt.com hxxp://djecalciar.com hxxp://hutedredea.com hxxp://mnesenesse.com hxxp://nosenessel.com hxxp://ostrolista.com hxxp://pilewitene.com hxxp://podylostol.com hxxp://roidlandev.com hxxp://scopoledod.com hxxp://shumbildac.com hxxp://suggenesse.com hxxp://tifyiskeri.com hxxp://uvurinestl.com hxxp://wifilhonle.com IPs: 185.159.128[.]78 (Russia Federation) 185.180.198[.]222 (Netherlands) 185.180.198[.]228 (Netherlands) 185.180.198[.]229 (Netherlands) 185.180.198[.]230 (Netherlands) 192.162.244[.]12 (Russian Federation) 192.162.244[.]169 (Russian Federation) 192.162.244[.]171 (Russian Federation) 204.79.197[.]200 (United States) 204.79.197[.]200 (United States) 217.147.170[.]91 (Ukraine) 217.147.170[.]94 (Ukraine) 46.17.47[.]4 (Russian Federation) 46.17.47[.]99 (Russian Federation) 46.29.160[.]132 (Russia Federation) 62.149.140[.]59 (Italy) 92.242.63[.]202 (Russian Federation) 93.184.220[.]29 (United States) 94.103.81[.]168 (Russian Federation) 94.103.82[.]216 (Russian Federation) 95.181.198[.]115 (Russian Federation) 95.181.198[.]116 (Russia Federation) 95.181.198[.]72 (Russian Federation)