Wednesday, October 16, 2024
HomeComputer SecurityHackers Launching Ursnif Malware via Weaponized office Document Using Steganography Technique

Hackers Launching Ursnif Malware via Weaponized office Document Using Steganography Technique

Published on

Malware protection

Cyber Criminals now distributing powerful ursnif malware via malicious Office Documents with multi-stage highly obfuscated PowerShell scripts to bypass security controls.

ursnif is a banking Trojan family that perform the most destructive attack on victims network and now it using the steganography method to hide its malicious code to avoid detection.

Ursnif malware also known as Gozi ISFB, is a variant of the original Gozi banking Trojan, which leaked its source code online in 2014.

- Advertisement - SIEM as a Service

Intially usnif Malware distributed via Spam Email that contains a fake document, typically purchase order, invoice .

This malware campaign uses an already well-known payload delivery method which employs Microsoft Excel documents containing a malicious VBA macro.

Once the targeted victims will enable the Macro then it initially checks the victim country using the Application.International MS Office property then it commands to execute the shell.

Later some of the obfuscation function of the Macro code will execute the
 several strings encoded  shell that will be converted into new Powershell command.

According to yoroi research,” the malware tries to download an image from at least one of two embedded URLs:

  • https://images2.imgbox[.]com/55/c4/rBzwpAzi_o.png
  • https://i.postimg[.]cc/PH6QvFvF/mario.png?dl=1

The apparently legit image actually contains a new Powershell command. The weaponized image is crafted using the Invoke-PSImage script, which allows to embeds the bytes of a script into the pixels of a PNG file. “

Later the usnif Malware connect with its command & control server to
download malicious binary which will be injected into explorer.exe process and the server sends the encrypted data.

Finally it complete the decryption process and the stolen data will be stored in the register key that is set by the malware.

“So, using the Powershell script stored into regkey (shown above), Ursnif is able to allocate space enough for its malicious byte array, containing the final payload, and to start it as legit process’ thread through QueueUserAPCand SleepEx calls.”

When the DLL has check it in the virus total , there are no detection occurred and all the AV engine shows it as clean.

“New Ursnif sample uses the same APC injection technique to instill its final binary into explorer.exe process, along with obfuscation and steganography in order to hide its malicious behavior. Ursnif is more active and widespread than yesterday, the contacted C2 is not reachable but the malware implant is still alive”  Researcher said.

This blog post was authored by Antonio Farina, Davide Testa and Antonio Pirozzi of Cybaze-Yoroi Z-LAB

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...