Malware Analysis – Ursnif Trojan

Introduction

Ursnif, also known as Gozi-ISFB or Dreambot, is a widely distributed banking Trojan. It attempts to steal banking credentials from customers of different financial institutions. It was first seen when source code associated with Gozi-ISFB got leaked. Since then, Ursnif has continuously evolved and been active in the threat landscape.

As per Microsoft, Ursnif has shown incredible stealing capabilities since it first appeared in 2009. From stealing users’ credentials, local webmail credentials and cloud storage to cryptocurrency exchange platforms and e-commerce platforms, Ursnif shows diverse capabilities. Its advanced tricks help evade several sandbox environments making it the most popular stealer in the wild. From stealing personal and OS information of your PC to running malicious commands on a target system, Ursnif is used for many malicious purposes. Ursnif can spread through malicious emails as well as infected removable drives, such as USB flash drives. Since its major appearance in 2014, the malware keeps evolving with functionalities like collecting banking credentials, keystrokes, cryptocurrencies, screenshots, webmail, and integrating spyware features along. Ursnif variants have also been detected in targeted campaigns towards Italian and Japanese users. Ursnif is usually delivered via malicious documents with embedded VBA macro that is highly obfuscated and acts as a dropper. One of its variants tries to steal cryptocurrency directly from digital wallets. It also uses language checks for localization and for evading detection by sandboxes. Ursnif may also search for disk encryption software to extract keys and access files hidden by users. Ursnif maintains its recurrent revisions, resulting in new persistence mechanism, new stealing modules, and new cryptocurrency stealing modules. It may also masquerade its main payload as a friendly image downloaded from a popular image site.

Ursnif/Gozi has highly been detected delivered in COVID-19 themed malicious email campaigns that were seen using the conventional Excel 4.0 macro functionality to remain undetected by AV software. Once the attachment in these emails is executed, it attempts to connect to its C2 and receive additional instructions.

MITRE ATT&CK Table

The following is a list of MITRE ATT&CK techniques we have observed based on our analysis of this malware.

Analysis Report of Ursnif

File Identity:

Summary of Analysis:

After the detailed analysis of obfuscated VBS script, we found VBS script dropping a zipped file in the temp directory containing a Dynamic Link Library (DLL) i.e. Mulla.dll. The actual extension (.dll) evaded with the modified name (Mulla.mkv). The malware was found attempting to initiate a network connection with cdn.arsis.at but unfortunately, (in our case) it was found unresponsive.

De-obfuscation of VBS script reveals that malware is capable to load WMIC instance and query system, disk and operating system level information.

Observed Characteristics:

First, we opened the VBS file on an IDE to observe the actual code. We found a heavily obfuscated VBS script which needs to be de-obfuscated to analyze actual intents of this script.

• Many commented random strings have been used in the script to crash or bog down numerous tools.
• We can also see that various decoy functions masked the true execution chain from being quickly visible.
• The actual array data used in execution was also obfuscated.
• Arithmetic operational equations were also observed in variables instead of fixed values.

Because the above displayed obfuscated code is difficult to understand, we found that de-obfuscation is the only way to understand the whole script properly. We obtained the de-obfuscated piece of code through implying some techniques and the artifacts came out from the script.

Now moving towards de-obfuscation technique, several things were observed in code after de-obfuscation. The first point that came to visibility after observation was that Objected VBS script is calling cimv2 class of Windows Measurement Instrumentation (WMI) utility that can

First of all, we found an error prompt instruction which prompts an error message “The program can’t start because MSVCR100.dll is missing from your computer. Try reinstalling the program to fix this problem”. This is a fake message and the actual VBS script got deleted upon execution.

Moving onwards we found that script is using “if” condition in searching quantity of files from variable “necrosis” value in the temp directory.

After solving “necrosis” variable value “(((89 + 4925.0) – (519 – 517.0)) – 5009.0)” we found “3” which means if file count is greater than 3, it will move towards next function.

If file count is smaller than 3, the script will jump to function named “NkRkFhr” i.e used to exit script.

The core function here is renamed as “Custom Function1”. This function is responsible for dropping a zip file (cholinesterase.zip) upon execution.

Here “bjwCsi” function helps to locate the directory of “temp” of current user in this piece of VBscript. The parameter “2” defines the temp directory as shown below:

After dropping the cholinesterase.zip file in the temp directory, it extracts the Mulla.mkv in the directory.

We found malware and it’s dropped files deleted from their respective directories. To proceed analysis, we needed to capture mulla.mkv file. When we captured and reviewed it in a hex editor, we found the first offset of the memory indicating that this is a dynamic link library (.dll) file.

Further investigating mulla.dll, we found the Borland Delphi 3.0 language used for development. Custom packing technique was used to prevent decompiling of DLL.

During network packet capture, we found NBNS queries attempting to resolve cdn.arsis.at address. And in source script it is also observed that it is designed to initiate network connection.

Analyzing further packets in the capture reveals that malware attempts to communicate at the following URL:

http[:]//cdn[.]arsis[.]at/api1/kQu9SI1JDcUj_/2BrPSECi/t1UORhqgIumH4ZHgt3kwVcc/wN7wzOMuT1/JTufzmHI0O0rH4Ly

_/2BXNF6RBgJRh/V88lgDo5CDW/Pl3uzwzyjbt5hl/dD6Ec8FltNwa6vefkBqAq/3igYJdkP7QGVNGwY/E0RFULg4hKbZqsu/

SU86mq04H4ejU97f25/l2Qxp7GNX/DzDzp_2FnMvXDraSMT36/m6tSNKHbR0jp62kMybk/IxfEfB1hon22RelJEFuUQx/9B5

mLg28of_0A/_0DTIj8_/2FdoY5HCzimVDWZcx1ENOHI/nRMji7XM5D/3w0WfT3yAOQJq4fku/PNZIPvvXyo/3AMRM

Reputation of requested URL is already reported infected on TI portals. However, no response packet was observed in the capture.

Additional Findings:

Ursnif Malware infection mainly depends upon the response from the requested URL, which was found unresponsive in our case. However, let us explore the capabilities of Ursnif malware from the code.

The instance of Win32_OperatingSystem was used to retrieve system information and other computer and disk information using queries to Win32_ComputerSystem, Win32_LogicalDisk using the object root/cimv2 as shown in the figure below.

Here, registry related query is also observed that the piece of code is designed to read keys in the address “HKEY_CURRENT_USER\Control Panel\International\Geo\Nation” as shown below,

AV Defense Evasion technique is one of the common behaviors of such type of malwares so this behavior is observed in source script as well.

Dependencies:

Following are the dependencies observed in the Ursnif Trojan file.

1. This Ursnif cannot work properly without the usage of its dropper mullah.mkv.
2. This Ursnif is designed to establish C&C connection automatically once the infection occurs. Without the connection it couldn’t perform its objectives.
3. This Ursnif was designed and is compatible for the windows environment.

Behavior Graph:

Here is list of native API function calls that describe the behavioral graph:

• EableMouseInPointer
• TrackMouseEvent
• GetsystemWindowsDirectory
• GetSystemAsFileTime
• GetVersion
• GetUILanguageInfo
• GetProcAddress
• CreateRemoteThread
• NtUserRemoteConnect

Remediation:

In order to remediate the Ursnif infection, following points should be considered:

• Block subjected URL

“http[:]//cdn.arsis.at/api1/kQu9SI1JDcUj_/2BrPSECi/t1UORhqgIumH4ZHgt3kwVcc/wN7wzOMuT1/JTufzmHI0O0rH4Ly_/2BXNF6RBgJRh/V88lgDo5CDW/Pl3uzwzyjbt5hl/dD6Ec8FltNwa6vefkBqAq/3igYJdkP7QGVNGwY/E0RFULg4hKbZqsu/SU86mq04H4ejU97f25/l2Qxp7GNX/DzDzp_2FnMvXDraSMT36/m6tSNKHbR0jp62kMybk/IxfEfB1hon22RelJEFuUQx/9B5mLg28of_0A/_0DTIj8_/2FdoY5HCzimVDWZcx1ENOHI/nRMji7XM5D/3w0WfT3yAOQJq4fku/PNZIPvvXyo/3AMRM”

• Kill the regsvr32.exe process which initiates communication to another C&C server and delete child file of mullah.mkv from your current user temp directory.
• Closely monitor URL having abnormal URI string & abnormal length.
• Block hashes associated with this Trojan file on EDR and endpoint controls.
• Delete unnecessary Document & temp folder entries.

Beware of social engineering techniques employed by cyber criminals—including phishing emails, impersonated calls, and fraudulent businesses and domains—and learn how to respond to a suspected compromise.

Conclusion:

Heavily obfuscated script based on natively interpreted language like VBScript is just enough for attackers to bypass AV detection. The simple reason is that, these are text-based languages and the amount of possibly suspicious terms is endless.

No matter what obfuscation is used, Rewterz is focused on moving-target defense technology that prevents the proper execution of the evasive payload Ursnif before any damage is done.

The above analysis is performed in a controlled environment in Rewterz Threat Intelligence Labs. In case, you have any malware samples, binaries, that need to be analyzed, contact us at info@rewterz.com.