Ursnif Malware

Cyber Criminals now distributing powerful ursnif malware via malicious Office Documents with multi-stage highly obfuscated PowerShell scripts to bypass security controls.

ursnif is a banking Trojan family that perform the most destructive attack on victims network and now it using the steganography method to hide its malicious code to avoid detection.

Ursnif malware also known as Gozi ISFB, is a variant of the original Gozi banking Trojan, which leaked its source code online in 2014.

Intially usnif Malware distributed via Spam Email that contains a fake document, typically purchase order, invoice .

This malware campaign uses an already well-known payload delivery method which employs Microsoft Excel documents containing a malicious VBA macro.

Once the targeted victims will enable the Macro then it initially checks the victim country using the Application.International MS Office property then it commands to execute the shell.

Later some of the obfuscation function of the Macro code will execute the
 several strings encoded  shell that will be converted into new Powershell command.

According to yoroi research,” the malware tries to download an image from at least one of two embedded URLs:

  • https://images2.imgbox[.]com/55/c4/rBzwpAzi_o.png
  • https://i.postimg[.]cc/PH6QvFvF/mario.png?dl=1

The apparently legit image actually contains a new Powershell command. The weaponized image is crafted using the Invoke-PSImage script, which allows to embeds the bytes of a script into the pixels of a PNG file. “

Later the usnif Malware connect with its command & control server to
download malicious binary which will be injected into explorer.exe process and the server sends the encrypted data.

Finally it complete the decryption process and the stolen data will be stored in the register key that is set by the malware.

“So, using the Powershell script stored into regkey (shown above), Ursnif is able to allocate space enough for its malicious byte array, containing the final payload, and to start it as legit process’ thread through QueueUserAPCand SleepEx calls.”

When the DLL has check it in the virus total , there are no detection occurred and all the AV engine shows it as clean.

“New Ursnif sample uses the same APC injection technique to instill its final binary into explorer.exe process, along with obfuscation and steganography in order to hide its malicious behavior. Ursnif is more active and widespread than yesterday, the contacted C2 is not reachable but the malware implant is still alive”  Researcher said.

This blog post was authored by Antonio Farina, Davide Testa and Antonio Pirozzi of Cybaze-Yoroi Z-LAB

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Leave a Reply