The infamous Ursnif malware is back at it again, according to ZLab Yoroi-Cybaze researchers who report that there was another wave of attacks from this virus recently. The malware made its first appearance in 2014 during the original Gozi source code leak, hence the malware is commonly known as Gozi ISFB.

According to reports, the Ursnif threat is one of the most active malwares with a presence that spans over a decade. It mostly operates in Italy, where it presents itself as something else in order to infiltrate several organizations. Most of the time, it’s presented as a malicious email document attachment.

But, over time, the malware has developed considerably to the point that it’s able to collect all types of private user data, including keystrokes, banking credentials, webmail, screenshots, and cryptocurrencies. It does this through a combination of banking Trojans and advanced spyware features.

ZLab Yoroi-Cybaze researchers were able to find a new variation of this malware which comes in the form of malspam that’s targeted towards Italian organizations. But, even this new variation of Ursnif operates in pretty much the same way as the older variant. It’s delivered through a malicious document that’s bundled up with a complicated VBA macro. But, this is just the first stage of the malware that’s designed to infiltrate the user database.

The Evolution of the Ursnif Threat

The Ursnif malware started gaining traction in 2009 when it showed itself as a formidable threat that was able to steal user credentials with unparalleled skills. This threat can quietly steal local webmail credentials, cryptocurrency exchange platforms, cloud storage and even data from e-commerce sites.

According to Microsoft, it’s able to sidestep many sandbox environments in order to spread like wildfire. Thanks to research done by a team at Zlab, we now have a complete evolution of the threat including patterns that show how it developed over time.

The first samples came out in January of 2018 and showed that Ursnif would infiltrate devices through a macro document. This document followed a complicated injection technique to implement the threat’s payload.

In June 2018, it was revealed the Nercus Botnet is the vehicle that was used to deliver Ursnif. It’s worth noting here that Nercus Botnet is one of the most popular botnets around, so it’s only fitting that Ursnif would use it as a Trojan horse.

In December 2018, we see the beginning of new dropper stages that are designed to obscure the last payload in the process. To further hide from sight the malware uses an APC injection which is a deviation from the previous classical process that it followed before.

February 2019 saw a considerable blow-out of this sample but with two additional features. The first stage is designed to avoid AV detection using complicated powershell stages, which made the code seem like a legitimate image. The second stage involved executing the decryption of malicious code into the user device.

In March 2019, researchers discovered a weaponized version of the Ursnif threat, one that’s designed to actually spread the malicious software. It comes in the form of a Google Drive document that looks innocent enough, but hidden within it is a VBA script. The VBA script features a Vigenere cipher, which is enough to hide the malware even from the most advanced sandboxes.

Over the next few months, more features are likely to be added and the threat will continue to evolve. It’s likely that the malware is currently infiltrating various machines under different guises as we speak.

Technical Analysis

Sha 256 34669dde1e33ec96147540433f60e90056d38df1e3bb952fdc600e979d74f690
Threat Ursnif dropper
Descrizione Breve Excel with macro
ssdeep 1536:hn1DN3aMePUKccCEW8yjJTdrBX/3t4k3hOdsylKlgryzc4bNhZFGzE+cL4LgldAK:hn1DN3aM+UKc

This Ursnif variant uses the same infection vector which spreads through macro-enabled office documents that are attached to email messages. To the user, the malicious document looks like a regular invoice which must be opened through special permissions, hence the macro enabling.

As soon as the user enables the macro, the Ursnif malware activates a macro protection feature which is quite unique and is not present in previous variations of the threat. This makes it doubly hard to analyze and manipulate the threat, let alone extract it. Once the OLE object has been extracted, it’s easier to view the content of macros, as you can see in the image below.

Ursnif Banking Malware

Researchers are now able to isolate a macro that stands out and actually investigate it in detail. This interesting macro was found to contain an extracted piece of VBA.

The malware author seems to have added a VigenereDo function to this current wave of the threat, thus giving it the ability to reconstruct the original infection step. This is all thanks to a Vigenère-based algorithm, which is really a classical polyalphabetic cipher.

In the end, the wave produces a command text that includes complicated strings with a “jeneric”, and other strings which are not visible in the above image. There are also other manipulations that can be seen when executing the entire script. As soon as a user enables macros, the malware runs a “wmic.exe” process using the following code “Call” ‘CREATe’” command.

After that, a number of powershell deobfuscation steps follow. The first one includes replacing every (“${1F}”) value in the ps string with “$1F” variable content that parallels a “,” (comma) character.

Once these values have been replaced, the script goes through “iex” primitive which is brought on by “.($psHomE[4]+$pshOMe[34]+’X’)”. After that, it goes through “( “. ( `$ShELLid[1]+`$shelLID[13]+’X’)”.

Here’s what the complete script looks like in the end.

Computer Virus

It’s interesting to note that the malware always begins its rounds by checking the current TimeZone to make sure that it is running on +01:00 time. Once it has confirmed that, the malware moves on to the next step, which is to download from “hxxps://i[.]imgur[.]com/TVkWKQa[.]png. What the user can’t see is that behind the downloaded image is another powershell stage that can influence stenography techniques.

The malware code then uses mathematical binary operation to repeat each pixel on the image, which enables it to take the two Least Significant Bits in each byte of the picture. Every byte is concatenated with other LSBs until the powershell code is complete.

Another URL appears as Et voilà and the malware does a “CurrentCulture” evaluation to confirm before it downloads the next stage from this URL.

Once the malware has confirmed the legitimacy of the URL, it will try to download other components through the “IEX” primitive. These components are called“ose000000.exe” from “hxxps://nuovalo[.]site/RGI82B3.-tmp-tmp”. The threats go on to save them in a “%TEMP%” folder.

Here is some interesting data collected about the Ursnif sample:

Sha 256 0f2245eec921949d9a1d8e13cab747a7fbb137aaee3b9ddacee0681c8b2e4fa8
Threat Ursnif
Descrizione Breve Final payload of Ursnif banking malware
ssdeep 6144:LCLAh6EzJYJtmavTXyulcNcyuo8PGJMewXo79y:L54EzetmCb3cNc3o0PR4

The Verdict

The latest wave of the Ursnif malware shows a complicated new infection process. Although it enters through the Visual Basic macro, it comes with additional Vigenère cipher protection, which enables it to launch an additional powershell stage. This is done by abusing originally legitimate functionalities of the Windows Management Infrastructure (WMI). The infection chain ends by manipulating stenography techniques in order to evade network detection. This allows the malware to infiltrate the intended devices to further its creators’ purposes.

What You Should Know About the Ursnif Banking Malware