Ursnif VS Italy: Il PDF del Destino
By Kostas
Published: 2023-07-31 · Archived: 2026-04-06 00:07:26 UTC
9 min read
Jul 18, 2023
This is the second blog of this series which displays the actions that threat actors are taking upon post-exploitation
efforts. Just a reminder, these short blog posts come with sanitized artifacts of the intrusion I observed. This is so
people can use it for training materials or recreate the investigation steps I followed in their own lab. You can find
the artifacts in the repo below.
Intrusion_data: https://github.com/tsale/Intrusion_data
Summary
In the first week of July, I observed post-exploitation activity from an Ursnif malware initial infection. Post-exploitation activities were very rapid, with threat actors enabling the VNC feature of the malware to interact with
the infected host. Through VNC’s graphical interface, they quickly searched for important documents on mapped
share drives. They later used the command prompt to run enumeration commands before using process injection
to spawn a Cobalt Strike beacon.
Several hours after the initial infection, the Cobalt Strike beacon came to life and threat actors started enumerating
the environment. They used their existing beacon session and attempted to elevate their access using a zerologon
exploit. After about 10 hours, I witnessed them spawning a new Cobalt Strike beacon using a PowerShell loader.
This second beacon communicated with a different C2 IP. This was the last activity I observed through my
analysis, it is possible that the threat actors left the infected environment or that the gap of inactivity allowed for
response and remediation of the infected host.
Further Intelligence Gathering
During the ursnif VNC sessions, I was able to extract interesting data from the unencrypted network
communication. Specifically, I managed to obtain the threat actors’ clipboard as well as screenshots. This
information provides valuable insight into the attackers’ tactics, techniques, and procedures (TTPs). It allows us to
see the attack from their eyes. Their respective sections below will cover the relevant details regarding the
intrusion.
https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Page 1 of 12

The Hands-On-Keyboard (HOK) activity began 30 minutes after the initial execution of the Ursnif malware. This
emphasizes the importance of promptly addressing initial access broker malware. During the intrusion, it seemed
like the infected host was shared among multiple groups. This is due to the long periods of inactivity observed, the
different C2 channels as well as the repetitive enumeration commands on every newly established connection to a
different C2 infrastracture. Trustworthy threat intelligence sources reveal how criminals divide responsibilities
during an intrusion after the initial infection.
Establishing initial access themselves is no longer really required for threat actors, there’s a good
chance someone else has already done it and is happy to sell it on. ~ source by @BushidoToken
It is also possible for different threat actors to often specialize in different aspects of an attack. In this case, the job
of threat actors that responded to the initial infection could have been to profile the victim host and organization.
There was no activity from the beacon loaded in memory for five hours after the initial infection.
Press enter or click to view image in full size
Due to the sensitivity of the enclosed data, the VNC communication was not included in the network
traffic artifacts. However, information on how to extract this data as well as sanitized screenshots will
be shared down below.
Initial Access
The phishing campaign that resulted in this intrusion targeted Italian organizations. The phishing email contained
a PDF attachment that started the malicious execution chain, as reported by @JAMESWT_MHT in this thread.
Press enter or click to view image in full size
https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Page 2 of 12

This blog will focus on the malicious Ursnif DLL loader and the post-exploitation activity after the malware was
installed on the infected host.
Execution
After the Ursnif DLL was loaded in memory, a series of automated activities took place in a very short timeframe.
Here’s a visualization of the execution flow:
Press enter or click to view image in full size
https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Page 3 of 12

The malware used mshta.exe to run an encoded script from Registry Key via the Explorer.exe parent process as
part of the initial automated tasks.
C:\Windows\System32\mshta.exe” “about:<hta:application>
<script>Vsde=’wscript.shell’;resizeTo(0,2);eval(new
ActiveXObject(Vsde).regread(‘HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\98A2C439–17C5–8A1F-614C-3B5E25409F72\\\ToolAbout’));if(!window.flag)close()</script>
Here is a breakdown of the script:
‘about:’: This starting element creates an executable HTML Application loaded as a data URL.
‘<hta:application><script>Vsde=’wscript.shell’:’ creates a Windows scripting host shell object.
‘resizeTo(0,2);’: makes the application basically invisible.
‘eval(new
ActiveXObject(Vsde).regread(‘HKCU\\\\Software\\AppDataLow\\Software\\Microsoft\\98A2C439–
17C5–8A1F-614C-3B5E25409F72\\ToolAbout’));’: This accesses and reads the registry key specified,
and then evaluates/runs the code found within it.
‘if(!window.flag)close()’: closes the script if a specific flag is not found.
The code within the registry was a PowerShell command designed to execute scripts concealed within the
specified registry key, all while using built-in aliases to obscure the exact function being run.
The PowerShell command:
https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Page 4 of 12

powershell.exe” new-alias -name ricvpy -value gp; new-alias -name xhpsqr -value iex; xhpsqr
([System.Text.Encoding]::ASCII.GetString((ricvpy
“HKCU:Software\AppDataLow\Software\Microsoft\98A2C439–17C5–8A1F-614C-3B5E25409F72”).MarkTime))
For a detailed explanation of the Ursnif execution flow, please see the relevant report that we (The DFIR Report
team) released back in January: Unwrapping Ursnifs Gifts. The TTPs are identical.
💡 Detection Opportunity
We can detect and hunt for process execution events that are using command line interpreters such as
mshta.exe or powershell.exe to read, decode and execute strings from the registry. (see Sigma rule on
the IOC section at the end of the blog)
Persistence
Ursnif created a persistence through the registry run keys by adding an LNK file pointing to the PowerShell
executable and including parameters to execute a PowerShell script saved on disk.
All registry key names and malicious artifacts are randomized with each execution by the malware.
Get Kostas’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
\REGISTRY\USER\<SID>\Software\Microsoft\Windows\CurrentVersion\Run\ProcessFolder
cmd.exe /c start C:\\Users\\<user>\\ ProcessFolder.lnk -ep unrestricted -file C:\\Users\\
<user>\\ToolAbout.ps1"
💡 Detection Opportunity
Identify any Windows registry Run and RunOnce keys That contain parameters to facilitate the
execution of scripts under the C:\Users directory. Depending on the environment, you may need to
create a baseline of scripts that are scheduled to run on startup and exclude them.
Defense Evasion
Throughout the intrusion, there have been many occasions where the malware used process injection. Ursnif used
remote process injection to execute a beacon by spawning a thread under conhost.exe.
Press enter or click to view image in full size
https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Page 5 of 12

In a different example, Ursnif injected into explorer.exe to perform multiple functions.
Press enter or click to view image in full size
💡 Detection Opportunity
A beacon running under the conhost.exe process was reaching out to malicious infrastructure. This is
suspicious behaviour, as conhost.exe should not be making external connections, especially at high
intervals. We can use this as an example case to detect any unexpected Windows binary connections to
hosts outside of our network.
Discovery
After the initial infection, Ursnif executed the following automated commands on the infected host. The
command’s output was saved as “.bin1” files in C:\Users\<user>\Appdata\Local\Temp.
cmd /C “wmic computersystem get domain |more > C:\Users\<user>\AppData\Local\Temp\4FCE.bin1”
cmd /C “echo — — — →> C:\Users\<user>\AppData\Local\Temp\4FCE.bin1”
cmd /C “systeminfo.exe > C:\Users\<user>\AppData\Local\Temp\4FCE.bin1”
cmd /C “net view >> C:\Users\<user>\AppData\Local\Temp\4FCE.bin1”
cmd /C “nslookup 127.0.0.1 >> C:\Users\<user>\AppData\Local\Temp\4FCE.bin1”
cmd /C “tasklist.exe /SVC >> C:\Users\<user>\AppData\Local\Temp\4FCE.bin1”
cmd /C “driverquery.exe >> C:\Users\<user>\AppData\Local\Temp\4FCE.bin1”
cmd /C “reg.exe query “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” /s >> C:\Users\<use
cmd /C “nltest /domain_trusts >> C:\Users\<user>\AppData\Local\Temp\4FCE.bin1”
cmd /C “nltest /domain_trusts /all_trusts >> C:\Users\<user>\AppData\Local\Temp\4FCE.bin1”
cmd /C “net view /all /domain >> C:\Users\<user>\AppData\Local\Temp\4FCE.bin1”
cmd /C “net config workstation >> C:\Users\<user>\AppData\Local\Temp\4FCE.bin1”
cmd /C “net view /all >> C:\Users\<user>\AppData\Local\Temp\4FCE.bin1”
cmd /U /C “type C:\Users\<user>\AppData\Local\Temp\4FCE.bin1 > C:\Users\<user>\AppData\Local\Temp\4FC
cmd /C “net use >> C:\Users\<user>\AppData\Local\Temp\F7A7.bin1”
cmd /C “echo — — — →> C:\Users\<user>\AppData\Local\Temp\F7A7.bin1”
cmd /U /C “type C:\Users\<user>\AppData\Local\Temp\F7A7.bin1 > C:\Users\<user>\AppData\Local\Temp\F7A
After executing the enumeration commands, the malware exfiltrated and deleted the files with the .bin extension.
Furthermore, I observed many enumeration commands via the Hands-On-Keyboard (HOK) activities. Below are
the enumeration commands in question.
https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Page 6 of 12

cmd.exe /C whoami/all
cmd.exe /C net group “Domain Admins” /Domain
cmd.exe /C systeminfo
cmd.exe /C nltest /dclist: domain.local
cmd.exe /C nltest /domain_trusts
cmd.exe /C ipconfig /all
cmd.exe /C whoami /all
cmd.exe /C ping <DomainController>.domain.local
cmd.exe /k whoami /groups
cmd.exe /k net use
cmd.exe /k arp -a
cmd.exe /k tasklist
cmd.exe /k ping 8.8.8.8
💡 Detection Opportunity
We can detect the many auto-discovery commands that run in a small time frame, usually within 1
minute from start to finish. Most initial access broker malware runs similar discovery commands in a
short time span. This detection technique can help identify other malware or suspicious activity in our
network.
Press enter or click to view image in full size
Command and Control
Common control communication was established initially through Ursnif malware and later on via Cobalt strike
beacons. Please see below the atomic indicators related to the C2 infrastructure.
Ursnif VNC
Thanks to @0xThiebaut’s tool PCAPeek, I was able to reconstruct some of the VNC traffic. More specifically, I
was able to collect a threat actor’s clipboard data and collect some valuable insights into their operations.
Use of LightShot capturing tool
The threat actors behind Ursnif appeared to make users of LightShot, the screen-capturing tool. Throughout their
https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Page 7 of 12

HOK activity, I found many links in their clipboard that pointed to an uploaded screenshot to https://prnt.sc. The
screenshots showed different details about the infected host, such as its network shares.
Misc Interesting Clipboard Data
Along with multiple copy-paste commands, there were the servers that hosted the admin panel they used for this
campaign. The URL paths and parameters found as part of the clipboard data indicated sensitive server resources
related to the malware campaign.
In the interest of information gathering and ongoing threat intelligence efforts, I will not make any of the
information related to the admin panel public. The information is shared with trusted groups of the infosec
community.
Visuals
Below, you can see sanitized visuals of the threat actor’s HOK activity recovered using PCAPeek.
Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Page 8 of 12

IOC/IOA
Cobalt Strike C2
173.44.141.237:80
170.130.165.159:80
173.44.141.199:80
152.89.198.29:80
173–44–141–47.nip.io
Ursnif C2
http://avas1t.de/in/loginq/...
http://109.105.198.129/pictures/…
185.82.127.183:80
http://31.172.83.49/pictures/…
91.201.65.64:9955 (VNC)
91.201.65.64:9989 (VNC)
http://delideta.com/pictures/... (IP = 91.212.166.44)
http://itwicenice.com/pictures/... (IP = 91.212.166.44)
Cobalt Strike Profile
BeaconType: HTTP
Port: 80
SleepTime: 45000
MaxGetSize: 2801745
Jitter: 37
PublicKey_MD5: a37589ce24a7082ed1c6728b50d73d02
C2Server: 173.44.141.237,/jquery-3.3.1.min.js
UserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
HttpPostUri: /jquery-3.3.2.min.js
Malleable_C2_Instructions: Remove 1522 bytes from the end
 Remove 84 bytes from the beginning
 Remove 3931 bytes from the beginning
https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Page 9 of 12

Base64 URL-safe decode
 XOR mask w/ random key
HttpGet_Metadata: ConstHeaders
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Referer: http://code.jquery.com/
 Accept-Encoding: gzip, deflate
 Metadata
 base64url
 prepend “__cfduid=”
 header “Cookie”
HttpPost_Metadata: ConstHeaders
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Referer: http://code.jquery.com/
 Accept-Encoding: gzip, deflate
 SessionId
 mask
 base64url
 parameter “__cfduid”
 Output
 mask
 base64url
 print
HttpGet_Verb: GET
HttpPost_Verb: POST
Spawnto_x86: %windir%\syswow64\dllhost.exe
Spawnto_x64: %windir%\sysnative\dllhost.exe
Proxy_Behavior: Use IE settings
Watermark_Hash: bfnETSwzb1Xsa2g6gr+auA==
Watermark: 674054486
bStageCleanup: True
bCFGCaution: False
KillDate: 0
bProcInject_StartRWX: False
bProcInject_UseRWX: False
bProcInject_MinAllocSize: 17500
ProcInject_PrependAppend_x86: b’\x90\x90'
 Empty
ProcInject_PrependAppend_x64: b’\x90\x90'
 Empty
ProcInject_Execute: ntdll:RtlUserThreadStart
 CreateThread
 NtQueueApcThread-s
 CreateRemoteThread
 RtlCreateUserThread
ProcInject_AllocationMethod: NtMapViewOfSection
https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Page 10 of 12

Suricata Rules
ET MALWARE Ursnif Variant CnC Data Exfil
ET MALWARE Ursnif Variant CnC Beacon 3
ET MALWARE Ursnif Variant CnC Beacon — URI Struct M1 (_2B)
ET MALWARE Ursnif Variant CnC Beacon — URI Struct M2 (_2F)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET EXPLOIT Possible Zerologon Phase 1/3 — NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020–1472)
ET USER_AGENTS WinRM User Agent Detected — Possible Lateral Movement
ET MALWARE Windows Microsoft Windows DOS prompt command Error not recognized
ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
ET MALWARE Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND
ET INFO Dotted Quad Host RAR Request
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2
ET MALWARE Cobalt Strike Activity (POST)
ET MALWARE Cobalt Strike Beacon Activity (GET)
Sigma Rules
Custom
Ursnif Discovery Commands Redirection
Explorer UAC Bypass via NOUACCHECK
Sigma Repo
Suspicious Csc.exe Source File Folder
Usage Of Web Request Commands And Cmdlets
Explorer NOUACCHECK Flag
Share And Session Enumeration Using Net.EXE
Non Interactive PowerShell Process Spawned
Suspicious PowerShell Parameter Substring
PowerShell Download Pattern
Whoami Utility Execution
Ursnif Loader
Mshta Executing from Registry
Artifacts
b565aa423ca4ba6e8c6b208c22e5b056.dll —
894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265
ToolAbout.ps1–6e8b848e7e28a1fd474bf825330bbd4c054346ad1698c68e7a59dd38232a940a
https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Page 11 of 12

beacon.bin — 1324e7654a144c20637820a022d49c449cca1ff1d2c7e040bf23421d52146e93
Thank You Notes
A special thanks to @JAMESWT_MHT and @reecdeep for continuously sharing information related to the latest
campaigns. You make the world a safer place 🙏
References
https://www.sentinelone.com/blog/more-evil-markets-how-its-never-been-easier-to-buy-initial-access-to-compromised-networks/
https://blog.bushidotoken.net/2022/03/one-way-or-another-initial-access.html
https://blog.bushidotoken.net/2021/09/how-do-you-run-cybercrime-gang.html
Source: https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Page 12 of 12