Season’s Greetings from Ursnif

Dec 19, 2018

By: Shaul Vilkomir-Preisman

Intro

Ursnif (aka Gozi), a veteran banking malware, which has recently been reported taking part in a very active campaign targeting the UK, is also at the center of a concurrent, rapidly mutating campaign targeting North America.

This, together with a recent sprawling Emotet campaign  indicates that banking malware threat actors are ramping up their activity right before the busy Christmas shopping season and the upcoming holidays. It seems threat actors’ intent is to infect as many victims as they possibly can at a time when they are very likely to engage in online transactions, leading to more opportunities for malware to infect and compromise users, and more opportunities for the actors to fraud victims and drain bank or credit accounts.

Background

Ursnif has been an active banking malware for over a decade, with several variations of its source code being leaked repeatedly over the years, leading a multitude of variants and “siblings” existing in the wild concurrently.

As with most banking malware, it spreads mostly by E-mail messages with malicious attachments, usually Office documents and PDFs.

Most recently, this infection scheme has been modified and improved to make use of E-mail messages from legitimate compromised accounts replying to existing E-mail threads, increasing the perceived credibility of the malicious E-mail and the likelihood of a victim opening the malicious attachment and infecting themselves with the malware.

Ursnif’s Winter 18’ edition

This most recent campaign particularly stands out as having a very high number of lightly mutated variants. Attackers are employing tactics designed to decrease the chance of being detected by traditional and signature-based security solutions.

The attack begins with an E-mail response from a compromised account, in many cases on an existing thread, containing an attached document:

 

 

 

 

 

 

 

 

 

E-mail and malicious attachment, in response to an existing thread, intended to infect the victim with Ursnif.

 

 

 

 

 

 

 

 

 

 

 

When the victim opens the malicious attachment, a lightly obfuscated VBA script is executed, which calls for cmd.exe, which in turn runs powershell.exe to execute a short, obfuscate PS script. The script downloads the malicious executable payload from hxxp://abderfiene[.]com/tyclam/fressr.php?l=creb[1-14].tkn to \%appdata%\Local\Temp\ and executes it.

Obfuscated and de-obfuscated PowerShell code.

Each time a document dropper of this type requests a payload from the infection server, the server responds with a unique payload with a constant size but never-seen-before unique file hash.

While this tactic is not new, it is not very common, and is intended to increase the chance of evading security solutions or any other file/hash reputation mechanisms by infecting each victim with a unique payload every time an infection attempt takes place.

Repeated executions of the same document dropper in a sandboxed environment resulted in a unique, never-seen-before payload each and every time. This indicates the executable payload is not target, IP, or machine specific, but rather re-generated per request. We did however discover that the infection server employs a strict Geo-IP filtering scheme which seems to target requests emanating from North America exclusively.

Mutation “factory” and nature of mutations

The main distinguishing feature of this recent campaign is the variants “factory” mentioned above (hxxp://abderfiene[.]com). We haven’t found indication of new features or functionality with regards to the payload, compared to previous Ursnif/Gozi campaigns.

This domain has been registered on December 11th , and the IP address it resolves to is 46.29.160[.]75. Both have been communicated to by the droppers, and are documented in various threat intelligence sources as serving the latest Ursnif samples as of Dec 12th. It is the same date in which Deep Instinct’s telemetry indicated attacks being prevented in customer environments.

It was rather disappointing to discover that many of the samples generated and served as part of this campaign remain undetected by most security solutions. Given the simplicity of the infection infrastructure, the campaign being active for at least 8-9 days, and the extreme resemblance between the variants generated (as detailed ahead) we find it disturbing that such a large portion of the samples are undetected according to multi-scanner and threat intelligence data.

A quick and basic static analysis of a few of the variants reveals the mutation scheme used for the unique variant generation is quite simplistic. All variants are of the same size, share the exact same version info, compilation time-stamp and contain the same sections. The mutation is focused on a single section (.text) of every payload. Being the code section and given that even binary entropy is identical across mutated variants, we believe the mutation is based mostly on code obfuscation, prior to compilation.

PE sections from 3 “unique” samples. in Blue – identical sections, in Red – mutated .text section.

An additional constant artifact which has been observed across all samples is a shared debug path:

c:\Score\Modern\Fill\Piece\Centurytogether.pdb

Unfortunately, many solutions (including some which are AI/ML based) are evaded by some, or all variants. This is a clear demonstration of the short-comings of signature or traditional ML based solutions in dealing even with a simplistic static mutation scheme.

Summary

This new, large-scale campaign which is timed at a very opportune time of year, employing droppers of a very legitimate look and feel and an array of endlessly polymorphic payloads, can be incredibly difficult for traditional solutions to detect and prevent.

Deep-Instinct’s management console displaying a prevention of Ursnif from this recent campaign.

Deep Instinct customers are fully  protected from Ursnif. All new droppers and payloads are detected and prevented pre-execution using Deep Instinct’s Deep-Learning cybersecurity solution.

IOCs

Mutation “factory”

hxxp://abderfiene[.]com/tyclam/fressr.php?l=creb[1-14].tkn

Droppers

5c4a7c26fbb7f079e80aa5bc477fc86c8a8e1a519503cb79ad4117fe83f8c84b

60646a95a9fed1ef84e2e6dc3ef7306cc23e9632434474e3fa78a3f65ca40f37

d87b7256a2ef427c75d7276de07237dc130b6ab1a1a298836ed09e6f18d636fb

e05644a2ca60f1ee15a173f40316470c7ccd90951a73d452af49395b9c2d9744

8079a1ecbb37382833a24c0a067d4bb33bc0babd4946d7b34351de32f7d4ff30

a0ab317544707883e162010535e341848358517f571ce5f186af4dcf9f8099b5

0be10e0e286263774069ed3ff6c05109a87b507440b2030cca639bb7c1736f4c

e6fb279be0838bbdc5e0887bedd11d4799183beb9c2541e4bc69d8ab630dc582

9643456663447feb1eaa9f88bb306b896505668a0148d490d0b23b7f8a5a4620

9190532e0d2bfabc471b98405c8be5c29c19703b861dc69df0f63bf7b642925b

fe4f12f922cbc0f32bd891145ec54dcd64299a4b34ef500a0cbbc56dacd70372

bf68422d00956ad51b45ccd2a0d0ccde609d04532606ffc785b0b715928aad87

15e4611f9c066fc71242fd1b10cceb0aa6f7e54e44ffae711efef43dd72f4ebc

87af97cfcc1a85cf7e60ccf7cd24e4392c141516c331cf653436383894a11952

Payloads

ec9745408deff472e259c136a1e901f62dfcf9a17c3cead11732225fb44632a1

780b08b821219fa64a14d87eb0eb33ac5cc3ecc634f54cbbf17eb322f61fee5e

b344a945a3fdd33dc042b6032a3c92cd534b7a522953d7fa4ca479554451bb79

233083f200d30e2712d770ba4e9789fc8a88d6cc6acd868736cc823076094bca

7a70c5c48f81b11c889f2db42ba2c4b0393a291ec9ec606adf0fedb2b3ff78c0

5780e1bef78ef18674aa6de21d226165521031fabae7e39569d32e7fb53e6f94

c2ed7a54104e60c900b32f0627c3fefb044fbee73c33ec38e7fd521541a0a741

34793b1f8d86d7938ac9f5b308c39171ba5e89a2319fccece94854e366011e05

ea077f0de5b4a89b84c5c990654ff3a88a26b004a36c9f4a6d8dc46ebb540d6b

6c8640366d06187d06c074d9cea309358fd71b5300342e7d4c154661b7204e7f

1d0f1e94552a606aee3d3121d08b5e278ba6baf9e23beefc114234b1f0b4ce9c

464d85d073f33f1e8f849afb932ba45d39bea336f75414bf89c9a837da92bd6c

d8bac8b56c70923c9a3b64c0d03992670ead26212d98a0e6e327aadadf480f99

bdb7f54163bfa99daabb4a6ac5d64e843e1e5e28558e1a6ff116ad1f910bd9c1

10738dbab8675f9a9884d60e527678291d95422a74892ec7c610a36f62dc6169

a8700b511468741252b32036daf42e44803ca93e1ace17635d57eee099b64bd4

fcceb1d785a912a1e6e4ee903ce9b546be1a05d30ccb27188366824bc6907cca

92bbe38273ef01da146dcc773ccaa35138c9a75d66446faa879a8291e3586cc3

c72797a7ed0a169d3c5573b6fd2f076e9fff0ab325017757f202832948e3c805

05b50d16435b589cf728bbb3d2b3cfc9cbe2b9b9239ba76c3d0598464819f90b

65d869ff2d708bd23f70a04c484b18c0fda788bad52cc2e4ff0d32d7b8b89a95

84d4ec1001617918e327a0b0586879e27e4c342f7108cfd2428cdb0c9bd610ad

1ef6cd6e98a3aac78855e63dbcaf48930fd023a2a57af5f5076e3cb01637e6ea

d17d01b77c2d9f28fc95a3c12b9dff9e74c1687e9512ac88bf90b891e94cbd4e

f5c5594292b116c6eb4054ecc0d6e8791cd4832c63ab5ca4d177b79c4b5199f3

C2 servers

aershariar[.]com

biesbetiop[.]com

roqualdlio[.]com

zardinglog[.]com

imminesenc[.]com

zosmogroel[.]com

qibricrias[.]com

sycingshbo[.]com

kircherche[.]com

toforemedi[.]com