New Ursnif Malware Campaign Uses Fileless Infection to Avoid

[M.Poorya]

Quote

 

A new malware campaign spreading the Ursnif banking Trojan using PowerShell to achieve fileless persistence to hide from anti-malware solutions was detected by Cisco's Advanced Malware Protection (AMP) Exploit Prevention engine.

Ursnif, which is also known as Gozi ISFB, is an offspring of the original Gozi banking Trojan that got its source code leaked online during 2014 and on which a lot of other banking Trojan strains were built, such as GozNym.
 

Moreover, Ursnif is a continuously evolving Gozi variant which has been regularly been updated with new capabilities over the years.

Cisco Talos discovered that this new Ursnif campaign uses an already well-known payload delivery method which employs Microsoft Word documents containing a malicious VBA macro that will automatically run using AutoOpen if macros are already enabled.

If that is not the case, the malicious document displays an image asking the user to enable the macros feature.

'Enable macros' message

The VBA macro contains a single line designed to execute the next infection stage by accessing "the AlternativeText property of the Shapes object 'j6h1cf.' The value of this property is the malicious PowerShell command, which is subsequently executed by the Shell function."

This command is encoded using base64 and it is the one used by the dropper to download the Ursnif Trojan to the AppData folder and launch it on the compromised machine.

Once executed on the victim computer, Ursnif adds new registry entries containing the next command needed which uses Windows Management Instrumentation Command-line (WMIC) to decode new Powershell commands that will eventually use iex to execute an Asynchronous Procedure Call (APC) Injection.

Written registry data

To inject itself in the compromised machine's memory and achieve fileless persistence the malware uses the following, quite convoluted, procedure:

The injection starts by allocating memory for the malicious DLL with VirtualAllocEx, targeting the current process. If the allocation is successful, it then copies the malicious DLL into the newly allocated memory with Copy. Once that is completed, QueueUserAPC is executed, specifying the current thread within its process. This creates a user-mode APC and queues it within the thread. To execute the malicious DLL from the APC queue, the thread needs to enter an alertable state. SleepEx is used to trigger an alertable state completing the APC injection, by specifying 1 (True) for its second parameter which is bAlertable.

After successfully infecting its victims, the Ursnif banking Trojan will start issuing C2 requests to its command-and-control servers via HTTPS which, according to the Cisco Talos research team, contains the exfiltrated data archived as CAB files.  

APC Injection via the QueueUserAPC API

An extensive list of indicators of compromise (IOC) is available at the end of the Cisco Talos analysis, containing hashes of malicious documents distributed by this Ursnif campaign, C2 server domains, as well as names of payload file names dropped on compromised machines.

 

 

Quote

https://www.bleepingcomputer.com/news/security/new-ursnif-malware-campaign-uses-fileless-infection-to-avoid-detection/