# Ursnif Malware Banks on News Events for Phishing Attacks **[blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks](https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks)** Amit Gadhave May 8, 2022 Ursnif (aka Gozi, Dreambot, ISFB) is one of the most widespread banking trojans. It has been observed evolving over the past few years. Ursnif has shown incredible theft capabilities. In 2020 Ursnif rose to prominence becoming one of the top ten most prolific pieces of malware. Among its core functionalities are stealing credentials, downloading other malware, working as a keylogger, among others. Ursnif is mostly spread through spear phishing emails. Its attacks are often targeted at banking, financial services, and government agencies. In phishing emails, it tries to impersonate government authorities and leverage current events in the news to gain user trust, which leads to initial access to the victim’s system. Once the user opens the malicious attachment, the trojan uses User Agents that imitated Zoom and Webex in a further effort to blend in and allow for exploitation. This behavior was observed during the peak of the pandemic. ## Technical Analysis of Ursnif Malware **Infection Chain** In our analysis, phishing emails with a macro embedded XLS attachment or a zip attachment containing an HTA file initiated the infection chain, as pictured below. Fig. 1 Infection chain **Infection Scenario 1: XLS Document Analysis** ----- a c ous S docu e t ( g ) p ete ds to be a docu e t e ated to, t e s pp g co pa y t co ta s ac o code to do oad a binary file from the URL embedded in the document. Once the User enables macro content, the macro gets executed which further downloads the executable binary. Fig. 2 Malicious XLS document After downloading the binary file, it retrieves the handle of `explorer.exe process and calls UpdateProcThreadAttribute to perform parent` PID spoofing (fig. 3). Fig. 3 VBA macro code performing PPID spoofing ----- t e pa e t p ocess o t e d opped e ecutab e, ( 0 e e) s spoo ed to e p o e `e e` to e ade detect o ( g ) Fig. 4 PPID spoofing **Infection Scenario 2: HTA Document Analysis** In another infection scenario, we observed that the phishing email is sent with a zip attachment having an HTA file. After de-obfuscating several layers, PowerShell script downloads a DLL file from an embedded URL and executes it using rundll32.exe. The extension used for the remote DLL is .txt, a feasible way to evade the watchful eyes of most security products. Below, figure 5 shows several obfuscation layers in the HTA sample: Fig. 5 HTA document analysis ## Technical Analysis of Ursnif Loader Ursnif loader contains several layers of in-memory unpacking routines which are observed in malware families like zloader, emotet, and others. It rewrites an in-memory image with a new unpacked binary that uses the Thread APC injection technique to execute malicious code in another thread of a current process. Once the control is passed to the final loader, it decrypts the BSS section. The BSS section contains important configuration details in encrypted form, such as libraries and API names, string formats for sending data to Command & Control (CnC), registry entries, bat commands format, PowerShell commands format, HTA application format, etc. These configuration details are required for performing further activities. Below, figures 7 and 8 reveal that the malware uses campaign date as a key to decrypt the BSS section. ----- Fig. 6 BSS section decryption routine Fig. 7 Decrypted BSS section content Ursnif parses the configuration details through the JJ structure present in the PE (Portable Executable) header (fig. 9). The JJ structure contains the config blob address, config size, CRC Hash of decoded config and XOR key used to decode the config blob. Fig. 8 JJ header of loader Below, figure 10 reveals the configuration details present in the blob. Fig. 9 Configuration blob of loader The malware process iterates through CnC and uses these configuration details to generate a http GET request to CnC as shown in figure 10. It collects some information from the host machine like computer name, username, uptime, and CRC. ----- Fig. 10 HTTP GET request Below are parameters which are encrypted in the GET request: ``` soft, version, user, server, id, crc, uptime, size, hash, dns, whoami ``` Parameters like `soft and` `version are hardcoded in the binary. Here, the version might specify the malware binary version.` The `user parameter is generated using username, computer name, and the result of _CPUID instruction. It may be used by the threat actor` to uniquely refer to execution instance. The `server and` `id values are taken from the extracted config.` The `uptime parameter is a result of the QueryPerformanceCounter API.` Further, it encrypts a http request with (AES-CBC mode) using a 128-bit key present in the extracted config and performs BASE64 encoding. It performs transformations like replacing `+,` `/ with` `_2B,` `_2F respectively and inserts` `/ at random locations.` Figure 11 shows a typical encrypted http GET request. Fig. 11 Encrypted request If CnC is active, it responds with encrypted data in BASE64 encoded form. In recent versions (2.60.xxx), we observed that sometimes data is not base64 encoded. Below, figure 12 shows a typical response from the server: Fig. 12 Encrypted response Ursnif malware first decodes the base64 string and then decrypts the last 0x80 bytes using an RSA key embedded in the config. Below, figure 13 reveals the RSA key present in the config. Fig. 13 RSA key present in the sample ----- Fig. 14 Implementation for RSA decryption logic The last 0x80 bytes holds required information to decrypt the full response like a MD5 hash of the decrypted data, the key to decrypt data, and the size of the data to decrypt (fig. 15). Fig. 15 Last 0x80 bytes of response Once the full response is decrypted (AES-CBC mode) using the key received, it will validate the decrypted data by checking the MD5 hash. Ursnif can take a different action based on the response received. In our analysis, we observed that the decrypted data is the final payload of Ursnif. ## Technical Analysis of Ursnif Payload In our analysis, we saw that the final payload is a keylogger. Once control is transferred to the payload, it will connect to the CnC address extracted from its config and download an RSA encrypted browser account grabber module. After decryption, it collects Chrome, Firefox, and Microsoft Edge browsers’ sensitive info like credentials, cookies, etc. via this grabber module, compresses it, and AES (Advanced Encryption Standard) encrypts it using the key from config. Further, it sends this information to the attacker’s CnC via http post request (figs. 16, 17). While sending information, it uses the following different values for the post parameter ``` type to differentiate the kind of information it is sending. Some values include: ``` Type=6 – System info Type=15 – Key logged data, clipboard etc. Type=20 – Saved browser credentials Type=22 – Cookies ----- Fig. 16 Sending credentials Fig. 17 Sending cookies Ursnif malware also collects and sends the following sensitive system information: 1. Output of `System Info command` 2. List of processes – task list /svc 3. List of installed drivers – driver query 4. Registry query information (details of installed applications) – reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall 5. Output of `Net config workstation` Ursnif then starts capturing keylogging and clipboard events in the system and sends it to the attacker’s CnC at regular intervals. All the data it sends is first compressed and then AES encrypted using the key present in the config. Based on Ursnif’s code, the malware also has the capability to download and execute binary and upload files and screenshots from the victim’s system. Based on our analysis, one thing is clear: Ursnif is bad news. IOCs: Domains: ----- ``` linkspremium[.]ru premiumlists[.]ru Vilogerta[.]top interblog[.]top interforum[.]top premiumlines[.]top linespremium[.]ru linespremium[.]pw blogerslives[.]com blogerslines[.]com blogspoints[.]com blogspoints[.]ru filmspoints[.]com ``` Hashes: ``` XLS document: D39AAA321588E8B1E8FE694732B533BE31C57B60A3C1B7CF73047974606C0C64 EF2CD6B4FD4FBEEDC663F59C5196F63338B9F66242230D15F70CDAEBA3BFDE54 Hta document: DC21DB5D469BD554E41C8AEA35324E875475418AE23EB2378265636F0F781F85 loader: 42A1D2A7885898C85524A6B18550A9E01B86E5AD1C33AF845B6AE1450EF69BFE D61EE5E7B17684983EA9049F719BEB05978A813638F53F7625E970BAE1C2ABD7 32C049803E5E151D305C79A1067920A7EAA2DABB92FA7F33EF950097BBA016F2 Payload: CCB10C384D7A9C1D5C1C0383F97DF96B299D641FAECC7F3B4A5F31F2C0707C8A 739E193792AA810BCB005DDF4606366D472FE41EC50C304384EBA212510CC239 A204181541DC2772443BB00328D084EDC872CF61289862220F93994FE4E9ED21 0F3AA6870B171BEA342D0CF7166332F047BA58CCDED701E0AAA2BE84194203B9 Browser account grabber 91C4EDD3F6C51AFFD87434A3DB15B25408C26F7B77D94E568F91B9A5C4D63372 44E35DB1C2BFEEEE33F0A74874BE2E0CC041A38E63E78DA425052B0DFEB5F93D ``` Ursnif Mitre Att&ck TTP Map: **Initial** **Access** **Execution** **Persistence** **Defense** **Evasion** Parent PID Spoofing (T1134.004) Obfuscated Files or Information (T1027) Process Injection: Asynchronous Procedure Call (T1055.004) **Credential** **Access** **Discovery** **Collection** Credentials from Password Stores: Credentials from Web Browsers (T1555.003) Input Capture: Keylogging (T1056.001) Input Capture: GUI (Graphical User Interface) Input Capture (T1056.002) **Command** **and** **Control** **Exfilt** Phishing: Spear phishing Attachment (T1566.001) User Execution (T1204 .002) Command and Scripting Interpreter: Visual Basic (T1059.005) Command and Scripting Interpreter: PowerShell (T1059.001) Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) Create or Modify System Process: Windows Service (T1543.003) **privilege** **Escalation** Process Injection: Asynchronous Procedure Call (T1055.004) Application Window Discovery (T1010) Process Discovery (T1057) Query Registry (T1012) Clipboard Data (T1115) Input Capture: Keylogging (T1056.001) Input Capture: GUI Input Capture (T1056.002) Application Layer Protocol: Web Protocols (T1071.001) Ingress Tool Transfer (T1105) Exfilt Over Chan (T104 ----- **Initial** **Access** **Execution** **Persistence** Windows Management Instrumentation (T1047) **privilege** **Escalation** System Binary Proxy Execution – Rundll32 (T1218.011) **Defense** **Evasion** System Binary Proxy Execution – Regsvr32 (T1218.010) **Credential** **Access** **Discovery** **Collection** Steal Web Session Cookie (T1539) System Service Discovery (T1007) **Command** **and** **Control** **Exfilt** System Information Discovery (T1082) Data from Configuration Repository: Network Device Configuration Dump (T1602.002) ## Detection, Mitigation or Additional Important Safety Measures Beware of emails Don’t open attachments and links from unsolicited emails. Delete suspicious looking emails you receive from unknown sources, especially if they contain links or attachments. Cybercriminals use ‘social engineering’ techniques to lure users into opening attachments or clicking on links that lead to infected websites. Disable macros for Microsoft Office Don’t enable macros in document attachments received via email. A lot of malware infections rely on your action to turn ON macros. Consider installing Microsoft Office Viewers. These viewer applications let you see what documents look like without even opening them in Word or Excel. More importantly, the viewer software doesn’t support macros at all, so this reduces the risk of enabling macros unintentionally. -----