Hackers Launching Ursnif Malware via Weaponized office Document Using Steganography Technique

Cyber Criminals now distributing powerful ursnif malware via malicious Office Documents with multi-stage highly obfuscated PowerShell scripts to bypass security controls.

ursnif is a banking Trojan family that perform the most destructive attack on victims network and now it using the steganography method to hide its malicious code to avoid detection.

Ursnif malware also known as Gozi ISFB, is a variant of the original Gozi banking Trojan, which leaked its source code online in 2014.

Intially usnif Malware distributed via Spam Email that contains a fake document, typically purchase order, invoice .

This malware campaign uses an already well-known payload delivery method which employs Microsoft Excel documents containing a malicious VBA macro.

Once the targeted victims will enable the Macro then it initially checks the victim country using the Application.International MS Office property then it commands to execute the shell.

Later some of the obfuscation function of the Macro code will execute the
 several strings encoded  shell that will be converted into new Powershell command.

Powershell script deployed by macro code

According to yoroi research,” the malware tries to download an image from at least one of two embedded URLs:

  • https://images2.imgbox[.]com/55/c4/rBzwpAzi_o.png
  • https://i.postimg[.]cc/PH6QvFvF/mario.png?dl=1

The apparently legit image actually contains a new Powershell command. The weaponized image is crafted using the Invoke-PSImage script, which allows to embeds the bytes of a script into the pixels of a PNG file. “

Later the usnif Malware connect with its command & control server to
download malicious binary which will be injected into explorer.exe process and the server sends the encrypted data.

Finally it complete the decryption process and the stolen data will be stored in the register key that is set by the malware.

“So, using the Powershell script stored into regkey (shown above), Ursnif is able to allocate space enough for its malicious byte array, containing the final payload, and to start it as legit process’ thread through QueueUserAPCand SleepEx calls.”

When the DLL has check it in the virus total , there are no detection occurred and all the AV engine shows it as clean.

“New Ursnif sample uses the same APC injection technique to instill its final binary into explorer.exe process, along with obfuscation and steganography in order to hide its malicious behavior. Ursnif is more active and widespread than yesterday, the contacted C2 is not reachable but the malware implant is still alive”  Researcher said.

This blog post was authored by Antonio Farina, Davide Testa and Antonio Pirozzi of Cybaze-Yoroi Z-LAB

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

1 day ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

1 day ago

Adobe Warns of ColdFusion Vulnerability Allows Attackers Read arbitrary files

Adobe has issued a critical security update for ColdFusion versions 2023 and 2021 to address…

1 day ago

Beware of New Malicious PyPI packages That Steals Login Details

Two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, were recently detected by Fortinet's AI-driven OSS malware…

1 day ago

Brazilian Hacker Arrested Hacking Computers & Selling Data

A Brazilian man, Junior Barros De Oliveira, has been charged with multiple counts of cybercrime…

1 day ago

McDonald’s Delivery App Bug Let Customers Orders For Just $0.01

McDonald's India (West & South) / Hardcastle Restaurants Pvt. Ltd. operates a custom McDelivery web…

1 day ago