Thursday, December 5, 2024
HomeMalwareUrsnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis...

Ursnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis Evasion Trick

Published on

SIEM as a Service

A Sophisticated Ursnif Malware variant using manipulated TLS call back Anti-Analysis Technique while injecting the Child Process for changing the entry point.

TLS (Thread Local Storage) call backs used for additional initialization and termination that provided by Windows operating system.

Malicious TLS Allows PE files to include malicious TLS callback functions to be executed prior to the AddressOfEntryPoint field in the PE header.

- Advertisement - SIEM as a Service

In this case, during analysis phase where analysts trying to find the actual entry point to malcode but Malicious TLS callback function leads to execute the malcode Prior to the Common entry point AddressOfEntryPoint.

The Entry Point (AddressOfEntryPoint) defined in the PECOFF format for executable files refers to location in memory where the first instruction of execution will be placed

unlike Ursnif, Many Malware binaries and packers are using CreateRemoteThread Windows API functions to change the entry point for injecting the Process in the memory.

Also Read: A Banking Trojan Called “Ursnif” Using Mouse Moments for Evasion and Decryption From Virtual Machine

Ursnif Malware Analysis & Distribution

The initial distribution of Ursnif spreading via spam Email campaign with company order related mail contents and once we click the “Review document” then malware downloads a ZIP file named YourMYOBSupply_Order.zip.

The zip file contains a malicious javascript, once it gets executed then it Ursnif/Gozi-ISFB will be downloaded and executed.

Since command & Control server communication completely established HTTPS, it’s very difficult to find through analyzing the normal network activities.

During the Execution process, Ursnif malware tries to create a child process named svchost.exe using  CreateProcessW API function in suspended mode.

According to FireEye,Next, for process hollowing of svchost.exe, the malware creates a section object and maps the section using ZwMapViewOfSection.
It uses the memset function to fill the mapped section with zeroes, and then leverages memcpy to copy the unpacked DLL to that region. The malware then resolves three lower level API functions by walking the ntdll.dll module.
Once the new region of memory allocated it construct the entry shellcode in the new memory space.to identify the mapped session of the child process it reads out the PEB(process environment block) structure of the process using a call to ZwReadVirtualMemory.

After this task accomplished, Ursnif Malware trying to change the PE Header Protection permissions and gain the write permission.

Later it will write 8 bytes of the buffer at offset 0x40 in the entry point of the svchost.exe process executable in the target child process.

Region protection back to normal(“read only”) to avoid the suspicion once it successfully writes the buffer.

Again, it repeats the procedure of changing protections for the PE image of svchost.exe to write 8 bytes at an offset of 0x198 bytes from the start of the process executable.

Ursnif using standard DLLMain call entry point to initialize the injected DLL image and execute its entry.

Ursnif Malware

“This newer variant shows that actors are not only modifying the malware to evade signatures, they are also equipping them with stealthier techniques. Unaware debugging environments or detection frameworks can potentially miss the actual hidden TLS callback entry point, allowing the malware to perform its malicious activities under the hood.”

Indicators of Compromise

Filename :YourMYOBSupply_Order.zip
MD5 : f6ee68d03f3958785fce45a1b4f590b4
SHA256 : 772bc1ae314dcea525789bc7dc5b41f2d4358b755ec221d783ca79b5555f22ce

Filename : YourMYOBSupply_Order.js
MD5 : c9f18579a269b8c28684b827079be52b
SHA256 : 9f7413a57595ffe33ca320df26231d30a521596ef47fb3e3ed54af1a95609132

Filename : download[1].aspx
MD5 : 13794d1d8e87c69119237256ef068043
SHA256 : e498b56833da8c0170ffba4b8bcd04f85b99f9c892e20712d6c8e3ff711fa66c

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

New CleverSoar Malware Attacking Windows Users Bypassing Security Mechanisms

CleverSoar, a new malware installer, targets Chinese and Vietnamese users to deploy advanced tools...