Ursnif reloaded: tracing the latest trojan campaigns

On the 9^th of October our customers started reporting the same kind of incident over the span of a few hours. The identified activity appears to be linked to the banking Trojan Ursnif, a long active malware, whose roots can be traced back to 2007 together with ZeuS and SpyEye, still with strong infection capabilities in each of its campaigns. The attack vector was a malicious email with a Word document attached.

After the initial notifications our Threat Intelligence team moved on to start a more in-depth investigation to understand the relationship with previous campaigns that we have been monitoring through the second semester of the year.

First Assessment

While we cannot confirm that the campaign was focused on a particular geographical area, we noticed that most of the analysed files are addressed to an Italian speaking audience, a sign suggesting that Italy is under the radar of the attackers. Other than in Italy, ReaQta has also identified malware download locations in Russia, Ukraine, Netherlands and the United States. The analysis will focus on the threats received by our Italian customer on the onset of the attack.

Attached document with template in Italian suggesting to enable macros to view the content

Ursnif Infection strategy

The DOC file that’s part of this Ursnif campaign asks the user to enable macros due to “the document being created with a previous version of Microsoft Office Word”. The macro is executed when the document is opened if macros are enabled, otherwise the malicious code will run once the “enable content” button has been clicked.

The MS Word macro runs a command prompt invoking powershell with the parameter -ec, used to decode the instructions to launch the download of the payload (wync6.xap). The following image shows clearly the chain of processes after the execution of the MS Word document macro:

Obfuscated, base64 encoded and decoded command

Process chain after the execution of the MS Word document macro

In this specific Ursnif campaign the payload is generated using an increasing sequence of number going from 1 to 7 (e.g.: wync1; wync5; wync7) with the extension “.xap”.

After the Ursnif executes cmd.exe we check its activity from ReaQta-Hive’s behavioral tree:

ReaQta-Hive behavioural tree (click to expand)

Cmd.exe spawns powershell.exe (analysis window #1), that in turn drops and run an executable (analysis windows #2,#3), which is the final payload: Ursnif. The interesting behaviour begins after the final payload is executed as it creates a registry key where the next infection stages are stored.

After creating the registry key, Ursnif starts a process by using the command stored in the “dhcpport” value:

`C:\\Windows\\system32\\wbem\\wmic.exe /output:clipboard process call create \"powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\B53CC69F-9026-AF48-42B9-C45396FD3837').bthppast))`

We can reconstruct the entire storyline from the screenshot below:

Ursnif infection storyline reconstructed with ReaQta-Hive (click to expand)

The command runs powershell that will in turn read and run, using invoke-expression, the content of the value “bthppast” (analysis window N#1):

The value data is a PowerShell script, executed directly in memory. Without going deeper, the fileless attack injects code in Explorer (analysis window N#2) after selecting a .dll file that matches the current architecture, the values can be “Client32” or ”Client64”.

After the injection, the malicious code in explorer.exe tries to connect back to the C2 (analysis window N#7).

C2 infrastructure

On all the servers analysed we noticed the same patterns and files structure. The base directory used appears to be common across the same campaign, there are also three sub-directories files used to collect statistics information like:

Malware downloaded from potential victims
Victims IP address
Victims countries
Blocked IP address
Bots HID
Bot version
Uptime

The root directory is customizable in the crimeware and in the past we’ve found Ursnif threat campaigns with the same file structure but under different root folder names like: “TOL”, “TYJ”, “YUY”, “MXE”, etc. It appears that the root folder names are not reused across different campaigns and they remain in use only for a limited amount of time.

The names assigned to the root folder of the distribution servers appear to be tightly linked to the each running campaign. The list below, collected from August 2018 to today, shows the various campaigns tracked with their respective unique names.

“WES” from November 5 to the present.
“TJY” from October 29 to November 5.
“RUI” from October 16 to October 28.
“TNT” from August 22 to October 11.
“TOL” form October 1 to October 6.
“MXE” from September 24 to October 1.
“VRE” from September 20 to September 21.
“DAB” from September 17 to September 21.
“XOE” from September 13 to September 14.
“RTT” form September 6 to September 12.
“YUY” from August 24 to September 6.
“TST” from August 20 to August 22.
“FLUX” from August 13 to August 15.

Configuration of the Ursnif executable, in the image below, shows information like: bot version, botnet group ID, DGA (Domain Generation Algorithm) data, C2, etc.

The payload is downloaded and automatically executed, soon after the payload establishes a connection with one of the C&C hardcoded addresses. As a part of the data exfiltration process, .avi files (random filename) are downloaded from a hardcoded address, the URL contains encodes target-related information.

This C&C is managed by the well-known crimeware used by the original Ursnif gang whose login can be found in “wifilhonle.com/auth/login”:

Ursnif monitors successfully infected targets from the “clients” section of its panel. The page shows statistical information related to the of the victim’s computer, among these: the IP address and the country where the infected computer is located, information information and trojan version.

Ursnif Distribution

As we mentioned at the beginning, the C2 are concentrated in Ukraine, Russia, Netherlands the United State and Italy.

The following graphs shows statistics about the download rate of unique samples per hour from the hosted servers, the analysis has been run from November 7 to November 12, 2018 and it’s based on a total of 162.493 samples served from the malicious servers. Also interesting to note the fact that every single sample downloaded is auto-patched before delivery, this way every binary presents a unique hash: possibly an evasion technique to bypass simple hash-based IOC indicators.

Final words

Without any doubt, Ursnif trojan continues to be one of the most active threats today. The combination of lolbins and file-less attack makes it harder to detect and helps Ursnif to pass under the radar of the AV software more easily.

Ursnif is a good example of why Artificial Intelligence driven behavioral analysis plays a central role in the proactive detection of this kind of threats, where a delayed response means the loss of important information for the business.

With ReaQta-Hive we help our customers to detect new threats, and variants thereof, reconstructing information about their behaviors and the associated risk factors, enabling them to detect, alert and stop quickly potential threats before any damage is realized.

IOCS

SHA1 DOC:
8d9c9a8d24ff4e41c19c8583e3c5c48db52f147e > Logisticaservicesrl.doc
963CD36B2FBDC70F9B3AF4ED401A28BEB6F969F9 > GRobotica.doc
EDF48AC80E2505241BB4A0378363A3C79FD864B8 > Indalgo.doc
F31155687987ACE4D9F547E069789645680D7272 > Network_Connections.doc
ae4e6c49d120fa07c1112e5b70cd078654a1b009 > Logisticaservicesrl.doc
b902ccbb81c300da92c7428fc30cdc252233249e > Conform.doc
cc42e4b4a0d1a851367eb5265b4408c64aa56dab > Ligoratti.doc
e6934b62bab58efcd64db4c9774b0f9d908715a1 > MetroBlu.doc

SHA1 EXE:
05450C90E23CFBDFC5122D0004A6CA1A51E769C5 > praf3.xap
2600D8F9301DB916949E0D46872768022F808A7C > ledo5.xap
28B78C0B4C52222D3F6BDB9583D7EEF82EBFCEC4 > crypt_2_3105.exe
3AB9EE0B9B8E3098E1252293FC7D03E43CC69590 > hereye.exe
4E36269327981F417D59AFDED3DDE2D11BA99149 > ledo6.xap
6119095DFC0B80C6948B50E13EACAFF8929B56E3 > ledo2.xap
6502563541E8830D418A3877324F42DF0B510CE5 > ledo3.xap
7F704D1CC07575854E98783AF059371E2FCCC4E8 > ledo1.xap
99405F84372E8CBDF8B85D6C5F749FF3FFEA2764 > praf1.xap
A1C13D9922C58C38E713D3EAFCA70A2A2589C7CC > ledo4.xap
A1DEC1D4523E2E6670F6E45A3924DC4C0121CFFE > ledo7.xap
AC4B5DD954EFCC11FB2AFAB0FDE27476CB0615CF > praf5.xap
AEB75D73E802A7AF08400CED4252CA4455C0DA82 > praf6.xap
C9D09E8767344EC32FD6732173D9557F9C74A802 > praf7.xap
CBD009F09109B38C4BEC3C55E827C8FCED057D2E > praf2.xap
DEE85E063B55D8CF829950E61285078E1BD35164 > crypt_3100.exe
E5C48455F03C18F04D581AE1F95C41C81F653EF2 > praf4.xap
EB3100700F3D95B21892B045A5FF32EBAD38A831 > wync1.xap

PAYLOAD SERVER & C2:
hxxp://46.17.47.99/
hxxp://cythromatt.com
hxxp://djecalciar.com
hxxp://hutedredea.com
hxxp://mnesenesse.com
hxxp://nosenessel.com
hxxp://ostrolista.com
hxxp://pilewitene.com
hxxp://podylostol.com
hxxp://roidlandev.com
hxxp://scopoledod.com
hxxp://shumbildac.com
hxxp://suggenesse.com
hxxp://tifyiskeri.com
hxxp://uvurinestl.com
hxxp://wifilhonle.com

IPs:
185.159.128[.]78 (Russia Federation)
185.180.198[.]222 (Netherlands)
185.180.198[.]228 (Netherlands)
185.180.198[.]229 (Netherlands)
185.180.198[.]230 (Netherlands)
192.162.244[.]12 (Russian Federation)
192.162.244[.]169 (Russian Federation)
192.162.244[.]171 (Russian Federation)
204.79.197[.]200 (United States)
204.79.197[.]200 (United States)
217.147.170[.]91 (Ukraine)
217.147.170[.]94 (Ukraine)
46.17.47[.]4 (Russian Federation)
46.17.47[.]99 (Russian Federation)
46.29.160[.]132 (Russia Federation)
62.149.140[.]59 (Italy)
92.242.63[.]202 (Russian Federation)
93.184.220[.]29 (United States)
94.103.81[.]168 (Russian Federation)
94.103.82[.]216 (Russian Federation)
95.181.198[.]115 (Russian Federation)
95.181.198[.]116 (Russia Federation)
95.181.198[.]72 (Russian Federation)

Blog