Bank Trojan called “Ursnif” using clever Trick to Evade sandbox Detection from the Virtual Machine Environment by using mouse movements.
New Futures has been embedded with it including anti-sandbox Technique to avoid Detection and its used combination of mouse position and file time stamps.
Trojan This clever Technique helps to decode the internal data and steal Data from the Thunderbird applications.
Ursnif Trojan focused on extracting contacts and passwords from the Mozilla Thunderbird email client, and its not focusing on stealing credentials for specific banks.
Ursnif spreads itself through emails provided with a plain text password for an attached encrypted document.
Also Read Banking Trojan “Trickbot” Powered by Necurs Targeting Financial Institutions
This Banking Trojan Delivered through email that contains an attached ZIP file within an encrypted Word document with the plain text password within the email body.
Malicious Spam Email with Attachment (Source : Forcepoint)
Attached ZIP file contains 3 OLE document icons with the extension “docx. but its, not an actual word Document but it contains several obfuscated VBS files.
It will Download the Malware from the address “‘hxxp://46.17.40[.]22/hyey.pnj ” once this Trojan triggered in the victim’s Machine.
Once Download Attempt failed , then it will initiate the second attempts that leads to Another site ‘hxxp://inshaengineeringindustries[.]com/head.pkl’.
Downloaded Malicious files are DLL Files which contains alot of obfuscated code that evade the Static analysis Method.
According to Forcepioint, it will drop a second DLL file During execution, , map this new DLL to the current address, fix the Import Address Table and Relocation Table, then finally jump into the entry point to execute.
After complete the self check and integrity it will performing the Following task,
Once this Trojan successfully load into the Victims , it will established the Communication with C&C server via TOR. finally it has limited Tractability and performing with anti-sandbox and anti-VM techniques.
Malware Author used an algorithm that help to difference between the current and previous recorded mouse coordinates to detect mouse movement and avoid sandbox environments where the mouse is not usually moved.
According to Forcepoint, It further uses the value generated by this process to ‘brute force’ its own decryption key.
First stop of the key generation,malware calculate the Delta value between the x coordinates and y Coordination of the Mouse point .
If you want to know the full technical Analysis please visit the Forcepoint Blog
An email campaign delivering the Ursnif banking Trojan which used the ‘Range’ feature within its initial HTTP requests to avoid detection which Discovered earlier time of 2016.
Also Read Trojan Embedded Game BlazBlue Downloaded by More than Million Android Users from PlayStore
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…
View Comments