This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Malspam delivers Ursnif Banking Trojan 1-12-2018

Malspam delivers Ursnif Banking Trojan 1-12-2018

AhmedSonbol1
Employee AhmedSonbol1
Employee
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2018-01-16 11:27 AM

Malspam was observed on January 12th 2018 delivering Ursnif (AKA Gozi). Ursnif is a Banking Trojan that was discovered in 2007. Originally it was targeting banking wire systems in English speaking countries. In the past decade, its list of target countries expanded and its capabilities evolved. In addition to stealing banking credentials, Ursnif can now collect user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites [1]. 

 

In October 2017, security researchers took notice of a new Ursnif spam campaign [2]. The actors behind this campaign developed their macros to run when the document is closed. Sandbox technologies might miss this behavior and it could prove to be a simple yet effective evasion technique.

 

Let's take this delivery document as an example. Submitting it to RSA pre-release What's This File service shows the embedded VBA code including its AutoClose function:

 

Screen Shot 2018-01-16 at 10.29.45 AM.png

 

Screen Shot 2018-01-16 at 10.26.49 AM.png

 

Screen Shot 2018-01-16 at 10.28.04 AM.png

 

On NetWitness Packets, first there is a DNS request to what looks like a DGA delivery domain. Notice the large number of answers in the DNS response:

 

Screen Shot 2018-01-16 at 10.37.16 AM.png

 

Next, an HTTP GET request to retrieve a script from the domain:

 

Screen Shot 2018-01-16 at 10.43.15 AM.png

 

Screen Shot 2018-01-16 at 10.45.05 AM.png

 

Here is a better look at the downloaded script:

 

Screen Shot 2018-01-16 at 10.30.48 AM.png

 

The script reaches out to the same domain in order to download an executable. Notice the usage of PFX file extension and the absence of many headers in the HTTP GET request:

 

Screen Shot 2018-01-16 at 10.47.14 AM.png

 

Screen Shot 2018-01-16 at 10.50.00 AM.png

 

Screen Shot 2018-01-16 at 10.54.19 AM.png

 

VirusTotal scan results indicate that the binary is an Ursnif variant.

 

Once the download is complete and the malware is executed, it checks in with the same domain:

 

Screen Shot 2018-01-16 at 10.52.20 AM.png

 

Screen Shot 2018-01-16 at 10.55.36 AM.png

 

Here is a recap of the network activity:

 

Screen Shot 2018-01-16 at 10.56.59 AM.png

 

More information about the recent Ursnif variants can be found in this Malware Breakdown blog post.

 

Delivery document (SHA256):

  • a0a946868e2a067fc2144f19faa161b586c85fe57413633525e8e8bd5e2f48d6

 

Ursnif binary (SHA256):

  • eee6bd38c0e6498fadc466d5a1b635271b63c4235a3b271a9e15d5896c5a045a

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

References:

  1. https://threatpost.com/ursnif-banking-trojan-spreading-in-japan/128643/ 
  2. https://blog.trendmicro.com/trendlabs-security-intelligence/new-malicious-macro-evasion-tactics-exposed-ursnif-spam-mail… 
  • banking
  • firstwatch
  • gozi
  • malspam
  • NetWitness
  • netwitness packets
  • NW
  • NWP
  • rsa firstwatch
  • RSA NetWitness
  • RSA NetWitness Platform
  • trojan
  • ursnif
  • what's this file
0 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.