AUGUST 12, 2019

Ursnif ups its game with sophisticated VBA and PowerShell combination Dropper

Intro Ursnif (AKA Gozi), is one of the most enduring pieces of malware in the cybercrime threat landscape, being active for well over a decade now. I

Ursnif (AKA Gozi), is one of the most enduring pieces of malware in the cybercrime threat landscape, being active for well over a decade now. Its code has been leaked repeatedly and has been used, modified and upgraded extensively; giving rise to many different yet similar variants of this banking malware which are delivered primarily through spam Emails with malicious attachments.

Deep Instinct recently prevented Ursnif being delivered to a customer environment by means of a sophisticated dropper which is disguised as a DHL invoice.

The Dropper
As mentioned above, the dropper, an Excel Spreadsheet, is designed to appear like a DHL invoice, which when opened prompts the user to enable the VBA macro contained.

Once the macro is enabled, it is executed and presents the victim with a decoy progress bar, likely intended to make the malicious document appear more legitimate and stall the victim while the malicious code is being executed.

General infection and de-obfuscation flow is as follows:



[caption id="attachment_5888" align="aligncenter" width="739"] Decoy progress-bar displayed to victim after macros are enabled[/caption]


The VBA macro is obfuscated and contains many random-generated “comments” intended to make the code appear more legitimate and lower the chances of it being caught by security vendors.


[caption id="attachment_5879" align="aligncenter" width="600"] “Comments” intended to make the code appear more legitimate[/caption]


After the decoy progress bar is presented to the victim, the VBA macro reads a portion of the Excel file, which contains a compressed and base64 encoded PowerShell command, which is in turn executed by WMIC.exe (Windows Management Instrumentation Command-Line Utility) after being called for by the VBA using a Shell() function.


[caption id="attachment_5885" align="aligncenter" width="920"] Compressed and base64 encoded PowerShell command contained in the Excel Spreadsheet[/caption]


[caption id="attachment_5886" align="aligncenter" width="1093"] WMIC.exe executes PowerShell.[/caption]


Analysis of this PowerShell code reveals complex, heavily obfuscated dropper code, with multiple layers of compression, encoding, and obfuscation.

Decoding and decompressing the initial command blob (shown above) reveals two similar compressed and encoded blobs, which are piped to a function named “ms”.


[caption id="attachment_5887" align="aligncenter" width="560"] Function “ms” receives decompressed blob content[/caption]


Replacing this function with a print function enables us to see the content of these blobs and some initial functionalities are revealed, as well as an additional obfuscated blob and an initial de-obfuscation loop, after which the code is again piped to function “ms”.


[caption id="attachment_5880" align="aligncenter" width="600"] Initial functionalities (rundll32, get-date), initial de-obfuscation loop and again pipe to function “ms”.[/caption]


Repeating the function replacement trick enables to us to see below this 2nd layer of obfuscation and reveals another de-obfuscation function and yet another compressed and encoded blob, with the end result again being piped to function “ms”, again.


[caption id="attachment_5881" align="aligncenter" width="600"] De-obfuscation function (character replacement), final pipe to function “ms”.[/caption]


Decoding and decompressing the above blob, finally reveals function “ms”, which itself is obfuscated, however, some light manual de-obfuscation will readily reveal the code’s final functionality:


[caption id="attachment_5882" align="aligncenter" width="600"] Final main functionalities – delete temp internet files, download and execute payload from URL.[/caption]


The end result of the above is as follows:

  • Execute: rundll32.exe InetCpl.cpl ClearMyTracksByProcess 8

This deletes temporary internet files (top image above)

  • Download executable payload file from hxxps://<current_timestamp> to %appdata%/Local/Temp/ (middle images in above)
  • Execute: rundll32.exe /s <downloaded_file_path>, DllRegisterServer

This executes the payload, after which Ursnif will launch its own instance of iexplore.exe and will attempt to reach its C2 server. (bottom image in above)


Ursnif payload
The Ursnif payloads are delivered to the victim by a mutation “factory” very similar to what we reported approximately 8 months ago.

While each file is individually unique (has a unique file hash in order to circumvent file-reputation based mechanisms), much like what we previously reported 8 months ago - the mutation is limited to a single file section (.text), with the other file sections being exactly identical.

[caption id="attachment_5883" align="aligncenter" width="600"] In red – mutated .text section, in blue – identical sections.[/caption]


Additionally, all of the mutated samples feature the function same exports and share the same fake file metadata


[caption id="attachment_5884" align="aligncenter" width="600"] Functions exported by Ursnif, Common Ursnif file metadata[/caption]


All the effort that Ursnif’s operators have put into their mechanism for delivery, appears to have paid off and been well worth it. When this dropper was first uploaded to VT (slightly after we had prevented it in a customer environment) it was only detected by six out of 57 scanning vendors. This case highlights how threat actors are using increasingly sophisticated techniques to ensure that their malware is not detected and that analysis post-detection is much more complicated.


Dropper, prevented and investigated sample

Similar droppers from threat intel data




Ursnif payloads




















Mutation “factory”

Ursnif C2