Tuesday, November 5, 2024
HomeMalwareA Banking Trojan Called "Ursnif" Using Mouse Moments for Evasion and Decryption...

A Banking Trojan Called “Ursnif” Using Mouse Moments for Evasion and Decryption From Virtual Machine

Published on

Malware protection

Bank Trojan called “Ursnif” using clever Trick to Evade sandbox Detection from the  Virtual Machine Environment by using mouse movements.

New Futures has been embedded with it including anti-sandbox Technique to avoid Detection and its used combination of mouse position and file time stamps.

Trojan This clever Technique helps to decode the internal data and steal Data from the Thunderbird applications.

- Advertisement - SIEM as a Service

Ursnif Trojan focused on extracting contacts and passwords from the Mozilla Thunderbird email client, and its not focusing on stealing credentials for specific banks.

Ursnif spreads itself through emails provided with a plain text password for an attached encrypted document.

Also Read   Banking Trojan “Trickbot” Powered by Necurs Targeting Financial Institutions

Ursnif Delivered via Malicious Document

This Banking Trojan Delivered through email that contains an attached ZIP file within an encrypted Word document with the plain text password within the email body.

 Banking Trojan "Ursnif" Using Mouse

Malicious Spam Email with Attachment (Source : Forcepoint) 

Attached ZIP file contains 3 OLE document icons with the extension “docx. but its, not an actual word Document but it contains several obfuscated VBS files.

 Banking Trojan "Ursnif" Using MouseVB Script code has highly obfuscated and it developed to evade the sandbox Detection and its make Difficult to understand.

It will Download the Malware from the address “‘hxxp://46.17.40[.]22/hyey.pnj ”  once this Trojan triggered in the victim’s Machine.

Once Download Attempt failed , then it will initiate the second attempts that leads to Another site ‘hxxp://inshaengineeringindustries[.]com/head.pkl’.

Malicious File Execution

Downloaded Malicious files are DLL Files which contains alot of obfuscated code that evade the Static analysis Method.

According to Forcepioint, it will drop a second DLL file During execution, , map this new DLL to the current address, fix the Import Address Table and Relocation Table, then finally jump into the entry point to execute.

After complete the self check and integrity it will performing the Following task,

  • Performs anti-sandboxing checks
  • Performs anti-VM checks
  • Implements persistence through an autorun registry key
  • Injects itself into the ‘explorer.exe’ process

Once  this Trojan successfully load into the Victims , it will established the Communication with C&C server via TOR. finally it has limited  Tractability and performing  with anti-sandbox and anti-VM techniques.

Mouse-based Sandbox Technique

Malware Author used an algorithm that help to  difference between the current and previous recorded mouse coordinates to detect mouse movement and avoid sandbox environments where the mouse is not usually moved.

According to Forcepoint, It further uses the value generated by this process to ‘brute force’ its own decryption key.

First stop of the key generation,malware calculate the Delta value between the x coordinates and y Coordination of the Mouse point .

If you want to know the full technical Analysis please visit the Forcepoint Blog

An email campaign delivering the Ursnif banking Trojan which used the ‘Range’ feature within its initial HTTP requests to avoid detection which Discovered earlier time of 2016.

Also Read   Trojan Embedded Game BlazBlue Downloaded by More than Million Android Users from PlayStore

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy...

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Researchers discovered a Russian-linked threat actor, UNC5812, utilizing a Telegram persona named "Civil Defense....

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...