This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Malspam delivers Ursnif Banking Trojan 1-12-2018

AhmedSonbol1
Employee
Employee
‎2018-01-16 11:27 AM

Malspam was observed on January 12th 2018 delivering Ursnif (AKA Gozi). Ursnif is a Banking Trojan that was discovered in 2007. Originally it was targeting banking wire systems in English speaking countries. In the past decade, its list of target countries expanded and its capabilities evolved. In addition to stealing banking credentials, Ursnif can now collect user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites [1]. 

 

In October 2017, security researchers took notice of a new Ursnif spam campaign [2]. The actors behind this campaign developed their macros to run when the document is closed. Sandbox technologies might miss this behavior and it could prove to be a simple yet effective evasion technique.

 

Let's take this delivery document as an example. Submitting it to RSA pre-release What's This File service shows the embedded VBA code including its AutoClose function:

 

Screen Shot 2018-01-16 at 10.29.45 AM.png

 

Screen Shot 2018-01-16 at 10.26.49 AM.png

 

Screen Shot 2018-01-16 at 10.28.04 AM.png

 

On NetWitness Packets, first there is a DNS request to what looks like a DGA delivery domain. Notice the large number of answers in the DNS response:

 

Screen Shot 2018-01-16 at 10.37.16 AM.png

 

Next, an HTTP GET request to retrieve a script from the domain:

 

Screen Shot 2018-01-16 at 10.43.15 AM.png

 

Screen Shot 2018-01-16 at 10.45.05 AM.png

 

Here is a better look at the downloaded script:

 

Screen Shot 2018-01-16 at 10.30.48 AM.png

 

The script reaches out to the same domain in order to download an executable. Notice the usage of PFX file extension and the absence of many headers in the HTTP GET request:

 

Screen Shot 2018-01-16 at 10.47.14 AM.png

 

Screen Shot 2018-01-16 at 10.50.00 AM.png

 

Screen Shot 2018-01-16 at 10.54.19 AM.png

 

VirusTotal scan results indicate that the binary is an Ursnif variant.

 

Once the download is complete and the malware is executed, it checks in with the same domain:

 

Screen Shot 2018-01-16 at 10.52.20 AM.png

 

Screen Shot 2018-01-16 at 10.55.36 AM.png

 

Here is a recap of the network activity:

 

Screen Shot 2018-01-16 at 10.56.59 AM.png

 

More information about the recent Ursnif variants can be found in this Malware Breakdown blog post.

 

Delivery document (SHA256):

  • a0a946868e2a067fc2144f19faa161b586c85fe57413633525e8e8bd5e2f48d6

 

Ursnif binary (SHA256):

  • eee6bd38c0e6498fadc466d5a1b635271b63c4235a3b271a9e15d5896c5a045a

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

References:

  1. https://threatpost.com/ursnif-banking-trojan-spreading-in-japan/128643/ 
  2. https://blog.trendmicro.com/trendlabs-security-intelligence/new-malicious-macro-evasion-tactics-exposed-ursnif-spam-mail… 
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.