By: Shaul Vilkomir-Preisman
Ursnif (aka Gozi), a veteran banking malware, which has recently been reported taking part in a very active campaign targeting the UK, is also at the center of a concurrent, rapidly mutating campaign targeting North America.
This, together with a recent sprawling Emotet campaign indicates that banking malware threat actors are ramping up their activity right before the busy Christmas shopping season and the upcoming holidays. It seems threat actors’ intent is to infect as many victims as they possibly can at a time when they are very likely to engage in online transactions, leading to more opportunities for malware to infect and compromise users, and more opportunities for the actors to fraud victims and drain bank or credit accounts.
Ursnif has been an active banking malware for over a decade, with several variations of its source code being leaked repeatedly over the years, leading a multitude of variants and “siblings” existing in the wild concurrently.
As with most banking malware, it spreads mostly by E-mail messages with malicious attachments, usually Office documents and PDFs.
Most recently, this infection scheme has been modified and improved to make use of E-mail messages from legitimate compromised accounts replying to existing E-mail threads, increasing the perceived credibility of the malicious E-mail and the likelihood of a victim opening the malicious attachment and infecting themselves with the malware.
Ursnif’s Winter 18’ edition
This most recent campaign particularly stands out as having a very high number of lightly mutated variants. Attackers are employing tactics designed to decrease the chance of being detected by traditional and signature-based security solutions.
The attack begins with an E-mail response from a compromised account, in many cases on an existing thread, containing an attached document:
When the victim opens the malicious attachment, a lightly obfuscated VBA script is executed, which calls for cmd.exe, which in turn runs powershell.exe to execute a short, obfuscate PS script. The script downloads the malicious executable payload from hxxp://abderfiene[.]com/tyclam/fressr.php?l=creb[1-14].tkn to \%appdata%\Local\Temp\ and executes it.
Each time a document dropper of this type requests a payload from the infection server, the server responds with a unique payload with a constant size but never-seen-before unique file hash.
While this tactic is not new, it is not very common, and is intended to increase the chance of evading security solutions or any other file/hash reputation mechanisms by infecting each victim with a unique payload every time an infection attempt takes place.
Repeated executions of the same document dropper in a sandboxed environment resulted in a unique, never-seen-before payload each and every time. This indicates the executable payload is not target, IP, or machine specific, but rather re-generated per request. We did however discover that the infection server employs a strict Geo-IP filtering scheme which seems to target requests emanating from North America exclusively.
Mutation “factory” and nature of mutations
The main distinguishing feature of this recent campaign is the variants “factory” mentioned above (hxxp://abderfiene[.]com). We haven’t found indication of new features or functionality with regards to the payload, compared to previous Ursnif/Gozi campaigns.
This domain has been registered on December 11th , and the IP address it resolves to is 46.29.160[.]75. Both have been communicated to by the droppers, and are documented in various threat intelligence sources as serving the latest Ursnif samples as of Dec 12th. It is the same date in which Deep Instinct’s telemetry indicated attacks being prevented in customer environments.
It was rather disappointing to discover that many of the samples generated and served as part of this campaign remain undetected by most security solutions. Given the simplicity of the infection infrastructure, the campaign being active for at least 8-9 days, and the extreme resemblance between the variants generated (as detailed ahead) we find it disturbing that such a large portion of the samples are undetected according to multi-scanner and threat intelligence data.
A quick and basic static analysis of a few of the variants reveals the mutation scheme used for the unique variant generation is quite simplistic. All variants are of the same size, share the exact same version info, compilation time-stamp and contain the same sections. The mutation is focused on a single section (.text) of every payload. Being the code section and given that even binary entropy is identical across mutated variants, we believe the mutation is based mostly on code obfuscation, prior to compilation.
An additional constant artifact which has been observed across all samples is a shared debug path:
Unfortunately, many solutions (including some which are AI/ML based) are evaded by some, or all variants. This is a clear demonstration of the short-comings of signature or traditional ML based solutions in dealing even with a simplistic static mutation scheme.
This new, large-scale campaign which is timed at a very opportune time of year, employing droppers of a very legitimate look and feel and an array of endlessly polymorphic payloads, can be incredibly difficult for traditional solutions to detect and prevent.
Deep Instinct customers are fully protected from Ursnif. All new droppers and payloads are detected and prevented pre-execution using Deep Instinct’s Deep-Learning cybersecurity solution.