#1263273: How Ursnif Evolves to Keep Threatening Italy

Description: For months the Italian users have been targeted by waves of malspam delivering infamous Ursnif variants, Yoroi-Cybaze ZLab detailed its evolution.
Introduction
For months the Italian users have been targeted by waves of malspam delivering infamous Ursnif variants. Yoroi-Cybaze ZLab closely observed these campaigns and analyzed them to track the evolution of the techniques and the underlined infection chain, noticing an increasing sophistication. For instance, the latest waves increased their target selectivity abilities by implementing various country-checks and their anti-analysis capabilities through heavy code obfuscation.

In our previous post, we enumerated the delivery methods and the principal TTPs of the attackers behind the Ursnif mlaware threat. Indeed, in this report we’ll describe the increasing complexity of more recent infection chains, counting more than ten level of obfuscation in addition to a new steganography technique designed for Windows 10 machines.

Technical Analysis
Hash c86d3ab048976eb70d64409f3e7277ec40d6baf9ba97bcf4882e504fb26b5164
Threat Microsoft Excel malicious document
Brief Description Malicious macro
Ssdeep 1536:9n1DN3aMePUKccCEW8yjJTdrBZq8/Ok3hOdsylKlgryzc4 bNhZFGzE+cL2knA5xG:9n1DN3aM+UKccCEW8yjJTdrBZq8/Ok3B
Table 1: Static info about the Ursnif Dropper

The attackers are still leveraging malicious Excel documents to lure their targets to start the infection chain, which are required to enable the macro code hidden inside these kind of vectors.

Once opened, a fake obfuscated image invites the victim to enable the content in order to start the malicious macro (as shown in Figure 1 on the left). However, moving the blurred figure away reveals the cell A1 contains hidden code: its content is a Base64 encoded script.

As shown, the macro retrieves the content from the first cell of the document and it subsequently concatenates it with the content of the six rows below the first one. Its execution starts the “powershell stage” of the infection: a long series of multi-layered obfuscated scripts.

powershell.exe -EP bYpass IEx (‘$w=’OBFUSCATED PAYLOAD ZERO‘;$v=[IO.COmpresSIon.comPresSiONmOde];$j=20*60;sal M neW-OBJeCt;$e=[TexT.ENcoDiNG]::ASCiI;(M io.sTreAmreAdER((M Io.coMPREsSIoN.dEfLatesTReam([Io.meMORySTrEam][CoNVERt]::FRomBase64STRINg($w),$v::decOMpREss)),$e)).reaDTOEnD()|&($PshOME[4]+$PshoMe[34]+”x”)’)
Code Snippet 1

The Powershell Stage
In the first layer we noticed the declaration of the variable “$j”, used in the next step of the obfuscation to delay the execution of the script through Sleep library function invocations:

$b=’i’+$sHeLlid[13]+’X’;if ([Environment]::OSVersion.Version.Major -ne ’10’) {Sleep $j;.($b)(M sYSTEm.Io.CoMpresSiOn.DEFlatestReam([sySTeM.Io.MeMoRYsTREAm] [cOnveRt]::FrOMbASe64stRinG(‘ OBFUSCATED PAYLOAD ONE ‘),$v::DecOMprESs)|%{M syStEM.Io.sTReAmrEADEr($_,[TexT.ENcoDiNG]::ASCIi)}).READtoenD()}else {$h=’$y=@( OBFUSCATED PAYLOAD TWO)’.replace(‘c’,’,0,’);$h=$h.replace(‘b’,’,101,’);$h=$h.replace(‘a’,’,0,0,0,’);.($b)($h);[Reflection.Assembly]::Load([byte[]]$y)|Out-Null;.($b)([SA.Sii]::pf())}

Read rest in the link
First Aid: Indicators of compromise
Hashes

bb5dab56181dbb0e8f3f9182a32e584315cd1e6e2fedb2db350e597983f0e880
abb8a8351bb83037db94cd2bb98a8f697260f32306c21a2198c6b7f1a3bd1957
07d340cc0c476e8098a9979714f811e040076666bd8d82e229a89b0b394ae835
062389d43ee85c4b1cfda62dc09494db8f99c57aac15b2a237c4929bbf69185d
f09c85e45d1d764162c44867d8944220e0d8db1cb9ed06fd9b5cc36ae28de4b8
f2013e97c18531fd5a812f365dbd070e5d7e75192bfbb519261effcfd09fcd89
f652a3f6cd614caede3ca57d33f530200c07798d3dc19fccf787fb93286dd87a
5aaf08c96b9704d7c968bfea8524380e5698e9f478340665623c4ac3b9b9ed24
b8269764469c32d223840a8733ad08059c475c527079e606ed6aa22dff2f68bb
5b82967c329f622b387061c6de3fb05b7a7f2ba48aeef5976882dc4f2a082d67
8c33d3df82a671bf5256764468e2c9b15edabe55260393d31fbbc7d90260daf6
dac0427eebc39d4b789ae71d9944ccfd622ab1da8f242a4c5a46eed32af77469
ba53cf421f47a08f0cf4d1da95597ffb7199df329c005f2b0b3d96e653455e1a
32609cf05b444907eab4b97630b278ea949439dad9aa4c08c01a199cdf971dba
e9c837c857defea2ab71707fbbde992876b15d51d4a35578d45f89060e722cff
2a5319491b4f025078c2a66806dc27f905a43bfc0fd74d4fa871974616a40ee1
f4a8e0a0a0fda9410c783d5a78ab233432c015fe7017617c3bdbbc4ac2b72fd2
7f4996c29d6a9359f54e2afc4fa688aec4c916b27481d62c07a2dbab47f935a4
b94d0b867b709a5473082168c85cab6e8048ee54c2926c91ca33707b96507fa9
abb8a8351bb83037db94cd2bb98a8f697260f32306c21a2198c6b7f1a3bd1957
dd4c52b299b25f1ad217fb4f9a66a915abb79888f9c6553a64949731ad92b4fb
d89b3415ecc212780144cb3f74c6fea8752052c8d469debf7c12864afd1cd277
dd377e2673e1f6d070272c9fbb2a63445038c710f7b83c1d8c227050c47a78d1
061281bcc63295597216a68eeceb8355b18de9e15768af48e62a9cf413d0ca37
2547089727a628ce940ab18554bde85121810cee55857089fd5914b9d972870f
5ce8d23dec401142cd35a00ea8d23eedaa64a6f7a08cadbc11c22559d5bdd4bf
f075570279ac63d38b7933122c1baf82d1ae2151b0accd199f7b56ac93ae9808
8578d4261fbe0b899cb57f2c346c0961f3d44a046366d1fb0b453ce821437ab1
16b733db9fc27525d11f69457539b92f4ffc7b220ef2d6769705950626461be5
6c55e9f85a7cd1232ec94ae9c31f3b0fb2fa597ebad5a5c19e4a5d15fc9e14e0
Dropurl

http[://images2[.imgbox[.com/d8/0e/eyGVup7s_o[.png
https[://newupdatindef[.info////////……….[.exe
http[s://i.postimg[.cc/mbBH51RX/cry[.png?dl=1
C2

filomilalno[.club
fileneopolo[.online
reziki[.online
reziki[.xyz
More info: https://blog.yoroi.company/research/how-ursnif-evolves-to-keep-threatening-italy/

Date added June 12, 2019, 3:45 p.m.
Source Yoroi
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • Banking Malware - New Reports in
  • Microsoft Windows 10
  • News Italy
  • Ursnif / Gozi ISFB Banking Malware