Friday, June 14, 2024

Hackers Launching Ursnif Malware via Weaponized office Document Using Steganography Technique

Cyber Criminals now distributing powerful ursnif malware via malicious Office Documents with multi-stage highly obfuscated PowerShell scripts to bypass security controls.

ursnif is a banking Trojan family that perform the most destructive attack on victims network and now it using the steganography method to hide its malicious code to avoid detection.

Ursnif malware also known as Gozi ISFB, is a variant of the original Gozi banking Trojan, which leaked its source code online in 2014.

Intially usnif Malware distributed via Spam Email that contains a fake document, typically purchase order, invoice .

This malware campaign uses an already well-known payload delivery method which employs Microsoft Excel documents containing a malicious VBA macro.

Once the targeted victims will enable the Macro then it initially checks the victim country using the Application.International MS Office property then it commands to execute the shell.

Later some of the obfuscation function of the Macro code will execute the
 several strings encoded  shell that will be converted into new Powershell command.

According to yoroi research,” the malware tries to download an image from at least one of two embedded URLs:

  • https://images2.imgbox[.]com/55/c4/rBzwpAzi_o.png
  • https://i.postimg[.]cc/PH6QvFvF/mario.png?dl=1

The apparently legit image actually contains a new Powershell command. The weaponized image is crafted using the Invoke-PSImage script, which allows to embeds the bytes of a script into the pixels of a PNG file. “

Later the usnif Malware connect with its command & control server to
download malicious binary which will be injected into explorer.exe process and the server sends the encrypted data.

Finally it complete the decryption process and the stolen data will be stored in the register key that is set by the malware.

“So, using the Powershell script stored into regkey (shown above), Ursnif is able to allocate space enough for its malicious byte array, containing the final payload, and to start it as legit process’ thread through QueueUserAPCand SleepEx calls.”

When the DLL has check it in the virus total , there are no detection occurred and all the AV engine shows it as clean.

“New Ursnif sample uses the same APC injection technique to instill its final binary into explorer.exe process, along with obfuscation and steganography in order to hide its malicious behavior. Ursnif is more active and widespread than yesterday, the contacted C2 is not reachable but the malware implant is still alive”  Researcher said.

This blog post was authored by Antonio Farina, Davide Testa and Antonio Pirozzi of Cybaze-Yoroi Z-LAB

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles