Friday, March 29, 2024

Ursnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis Evasion Trick

A Sophisticated Ursnif Malware variant using manipulated TLS call back Anti-Analysis Technique while injecting the Child Process for changing the entry point.

TLS (Thread Local Storage) call backs used for additional initialization and termination that provided by Windows operating system.

Malicious TLS Allows PE files to include malicious TLS callback functions to be executed prior to the AddressOfEntryPoint field in the PE header.

In this case, during analysis phase where analysts trying to find the actual entry point to malcode but Malicious TLS callback function leads to execute the malcode Prior to the Common entry point AddressOfEntryPoint.

The Entry Point (AddressOfEntryPoint) defined in the PECOFF format for executable files refers to location in memory where the first instruction of execution will be placed

unlike Ursnif, Many Malware binaries and packers are using CreateRemoteThread Windows API functions to change the entry point for injecting the Process in the memory.

Also Read: A Banking Trojan Called “Ursnif” Using Mouse Moments for Evasion and Decryption From Virtual Machine

Ursnif Malware Analysis & Distribution

The initial distribution of Ursnif spreading via spam Email campaign with company order related mail contents and once we click the “Review document” then malware downloads a ZIP file named YourMYOBSupply_Order.zip.

The zip file contains a malicious javascript, once it gets executed then it Ursnif/Gozi-ISFB will be downloaded and executed.

Since command & Control server communication completely established HTTPS, it’s very difficult to find through analyzing the normal network activities.

During the Execution process, Ursnif malware tries to create a child process named svchost.exe using  CreateProcessW API function in suspended mode.

According to FireEye,Next, for process hollowing of svchost.exe, the malware creates a section object and maps the section using ZwMapViewOfSection.
It uses the memset function to fill the mapped section with zeroes, and then leverages memcpy to copy the unpacked DLL to that region. The malware then resolves three lower level API functions by walking the ntdll.dll module.
Once the new region of memory allocated it construct the entry shellcode in the new memory space.to identify the mapped session of the child process it reads out the PEB(process environment block) structure of the process using a call to ZwReadVirtualMemory.

After this task accomplished, Ursnif Malware trying to change the PE Header Protection permissions and gain the write permission.

Later it will write 8 bytes of the buffer at offset 0x40 in the entry point of the svchost.exe process executable in the target child process.

Region protection back to normal(“read only”) to avoid the suspicion once it successfully writes the buffer.

Again, it repeats the procedure of changing protections for the PE image of svchost.exe to write 8 bytes at an offset of 0x198 bytes from the start of the process executable.

Ursnif using standard DLLMain call entry point to initialize the injected DLL image and execute its entry.

Ursnif Malware

“This newer variant shows that actors are not only modifying the malware to evade signatures, they are also equipping them with stealthier techniques. Unaware debugging environments or detection frameworks can potentially miss the actual hidden TLS callback entry point, allowing the malware to perform its malicious activities under the hood.”

Indicators of Compromise

Filename :YourMYOBSupply_Order.zip
MD5 : f6ee68d03f3958785fce45a1b4f590b4
SHA256 : 772bc1ae314dcea525789bc7dc5b41f2d4358b755ec221d783ca79b5555f22ce

Filename : YourMYOBSupply_Order.js
MD5 : c9f18579a269b8c28684b827079be52b
SHA256 : 9f7413a57595ffe33ca320df26231d30a521596ef47fb3e3ed54af1a95609132

Filename : download[1].aspx
MD5 : 13794d1d8e87c69119237256ef068043
SHA256 : e498b56833da8c0170ffba4b8bcd04f85b99f9c892e20712d6c8e3ff711fa66c

Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles