Wednesday, April 30, 2025
HomeMalwareUrsnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis...

Ursnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis Evasion Trick

Published on

SIEM as a Service

Follow Us on Google News

A Sophisticated Ursnif Malware variant using manipulated TLS call back Anti-Analysis Technique while injecting the Child Process for changing the entry point.

TLS (Thread Local Storage) call backs used for additional initialization and termination that provided by Windows operating system.

Malicious TLS Allows PE files to include malicious TLS callback functions to be executed prior to the AddressOfEntryPoint field in the PE header.

- Advertisement - Google News

In this case, during analysis phase where analysts trying to find the actual entry point to malcode but Malicious TLS callback function leads to execute the malcode Prior to the Common entry point AddressOfEntryPoint.

The Entry Point (AddressOfEntryPoint) defined in the PECOFF format for executable files refers to location in memory where the first instruction of execution will be placed

unlike Ursnif, Many Malware binaries and packers are using CreateRemoteThread Windows API functions to change the entry point for injecting the Process in the memory.

Also Read: A Banking Trojan Called “Ursnif” Using Mouse Moments for Evasion and Decryption From Virtual Machine

Ursnif Malware Analysis & Distribution

The initial distribution of Ursnif spreading via spam Email campaign with company order related mail contents and once we click the “Review document” then malware downloads a ZIP file named YourMYOBSupply_Order.zip.

The zip file contains a malicious javascript, once it gets executed then it Ursnif/Gozi-ISFB will be downloaded and executed.

Since command & Control server communication completely established HTTPS, it’s very difficult to find through analyzing the normal network activities.

During the Execution process, Ursnif malware tries to create a child process named svchost.exe using  CreateProcessW API function in suspended mode.

According to FireEye,Next, for process hollowing of svchost.exe, the malware creates a section object and maps the section using ZwMapViewOfSection.
It uses the memset function to fill the mapped section with zeroes, and then leverages memcpy to copy the unpacked DLL to that region. The malware then resolves three lower level API functions by walking the ntdll.dll module.
Once the new region of memory allocated it construct the entry shellcode in the new memory space.to identify the mapped session of the child process it reads out the PEB(process environment block) structure of the process using a call to ZwReadVirtualMemory.

After this task accomplished, Ursnif Malware trying to change the PE Header Protection permissions and gain the write permission.

Later it will write 8 bytes of the buffer at offset 0x40 in the entry point of the svchost.exe process executable in the target child process.

Region protection back to normal(“read only”) to avoid the suspicion once it successfully writes the buffer.

Again, it repeats the procedure of changing protections for the PE image of svchost.exe to write 8 bytes at an offset of 0x198 bytes from the start of the process executable.

Ursnif using standard DLLMain call entry point to initialize the injected DLL image and execute its entry.

Ursnif Malware

“This newer variant shows that actors are not only modifying the malware to evade signatures, they are also equipping them with stealthier techniques. Unaware debugging environments or detection frameworks can potentially miss the actual hidden TLS callback entry point, allowing the malware to perform its malicious activities under the hood.”

Indicators of Compromise

Filename :YourMYOBSupply_Order.zip
MD5 : f6ee68d03f3958785fce45a1b4f590b4
SHA256 : 772bc1ae314dcea525789bc7dc5b41f2d4358b755ec221d783ca79b5555f22ce

Filename : YourMYOBSupply_Order.js
MD5 : c9f18579a269b8c28684b827079be52b
SHA256 : 9f7413a57595ffe33ca320df26231d30a521596ef47fb3e3ed54af1a95609132

Filename : download[1].aspx
MD5 : 13794d1d8e87c69119237256ef068043
SHA256 : e498b56833da8c0170ffba4b8bcd04f85b99f9c892e20712d6c8e3ff711fa66c

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New WordPress Malware Disguised as Anti-Malware Plugin Takes Full Control of Websites

The Wordfence Threat Intelligence team has identified a new strain of WordPress malware that...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...