Ursnif Trojan uses the Fileless Persistence as well as CAB for the Stealthily Data Exfiltration

Ursnif, also identified as Dreambot, initially focuses on stealing online banking information from the browsers along with emails. However, this Trojan has several modules which extend its functionality as well as recently been used for deploying other types of malware as well.

Talos says that Ursnif is "one of the most popular malware that attackers have deployed recently". Ursnif distribution campaign, which has been observed recently, leveraged a MS Word document that contains malicious VBA macro to distribute malware. The document comprises of an image, which suggested intended victim to allow as well as enable content.

In case the MS Office already allows this type of code to run, then the macro will be automatically executed once the document got opened, via AutoOpen function, says the Talos' researchers.

Generally obfuscated, the macro comprises one line code for accessing AlternativeText property of Shapes object "j6h1cf," the base64-encoded PowerShell command for downloading the Ursnif from its C&C (Command and Control) server and then for executing it.

Registry data is being created for next stage, and the WMIC (Windows Management Instrumentation Command-line) is used for running the PowerShell to extract value of APHohema key. APHohema key is hexadecimal-encoded PowerShell command.

This command created a byte array that contains a malicious DLL, created a function that is later used for decoding base64-encoded PowerShell, and executes base64-decode function. This again resulted in another PowerShell that is run by shorthand iex (Invoke-Expression) function for executing an APC (Asynchronous Procedure Call) Injection.

Firstly the injection allocates memory for malicious DLL having VirtualAllocEx, which is targeting current process, and then copies malicious DLL into newly allocated memory.

The malware makes Command and Control requests over the HTTPS, after the process of infection has been completed. CAB files format use for storing the harvested data before the exfiltration is being revealed by analysis of this traffic.

"Ursnif is a fan of 'fileless' persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic. Additionally, Ursnif uses CAB files to compress its data prior to exfiltration, which makes this malware even more challenging to stop," Talos concludes.

» SPAMfighter News - 2/12/2019