URSNIF sniffs out and hijacks emails thread

LMNTRIX Cyber Defense Center has recently intercepted a malware campaign related to URSNIF malware variants targeting Banking and Financial Institutions.

In December 2018, there was a rise of attacks aimed at delivering URSNIF, via spam email campaigns or hijacking existing email threads. First seen in the wild in 2007, URSNIF is also known as GOZI. 

The most recent campaign is constantly evolving, with the attackers modifying their tools, tactics and procedures (TTP) whenever their malware-serving domains are flagged by any major web filtering solution. Each new domain hosts at least 17 variants of the malware, with some open source threat intelligence reporting up to 20 variants.

In this report, we provide a brief of our findings on this active threat campaign, with a specific focus on the adversary tradecraft leveraged during all the phases of the attack lifecycle. The information in this report is derived from multiple URSNIF-related incident responses carried out by the LMNTRIX Cyber Defense Center.

Using the methodologies described in this post, the LMNTRIX Cyber Defense Center’s Incident Response Team has uncovered additional organizations infected with URSNIF. We strongly encourage organizations to leverage the indicators, TTPs, and detections in this post to improve their defenses and hunt for related activity in their networks.

Attacker TTP

The current threat campaign is spreading by either spearphising or hijacking existing mail threads. The latter involves sending an email that mimics a previous email thread. In both cases, the victim receives a password-protected archive attachment with the password included in the mail body. The archive contains a document with highly obfuscated and evasive malicious macro script. Upon execution, the macro executes a PowerShell script that connects to the attacker’s domain and downloads the URSNIF malware. The malware is downloaded to the ProgramData folder with a random filename, which is then executed.

Spearphising, Attribution and Detection

The malicious emails originated from either a legitimate company the victim had prior dealings with, or an organisation unknown to the victim. These were either made to look like a part of an email chain, or hijacked an existing mail chain. In most cases, victims who were not in the banking or financial sectors were used to propagate the attack to financial targets. 

Due to the financial motivations of this campaign, and that of previous URSNIF campaigns, LMNTRIX attributes the threat actor as a financially motivated group.

The above redacted screenshot shows an email containing the malicious attachment. This was sent from a known contact, who was already infected, to the victim organization by hijacking a year-old email thread. 

This phishing mail was identified with LMNTRIX Active Defense platform which monitors network traffic for any malicious communication. When the unsuspecting victim opened the malicious document and the macro was executed, the entire execution lifecycle was detected by our LMNTRIX platform.

Evasive Obfuscated Macro

Using of malicious macro code is a common trick to fool users into clicking on “Enable Editing” and “Enable Content” in Microsoft Word. This allows the execution of the malicious Visual Basic (VB) macro code.

The document looks the same from the user’s perspective, but we noticed slight variances in the obfuscation techniques in their VB macro code. As shown below, it is evident that the malicious code is fragmented and obfuscated with a combination of techniques.

Also, the attackers use COM object ID to reference WScript object in VB, and leverage VB constants to spell out “cmd.exe” to evade any traditional anti-virus detection.

PowerShell Execution

The VB macro code executes PowerShell via “cmd.exe /c ” command. The PowerShell command contains a base64 encoded command that is decoded at runtime before execution. The below screenshot shows the command executed by VB macro and the cmd.exe.

The decoded PowerShell script uses in-built PowerShell functionalities to download the malware in an extensive way which is unnecessary from a programmer’s point-of-view, but is effective in evading static string-matching rules. The PowerShell script also uses COM object ID to reference ShellBrowserWindow, and create the instance, which then executes the downloaded malware using ShellExecute method. The malware executes from the “C:\ProgramData” folder, which is inferred from the GetFolderPath(“CommonApplicationData”) environment variable.

Malware Analysis

The malware samples collected during the Incident Response process were analyzed separately and were found to have similar objectives and varied minutely. The overall similarities are analyzed and are presented below:

The malware included multiple techniques to detect debuggers, process monitoring tools and virtual machines, including some of the libraries listed above, cpuid instruction, time delta calculation, custom TLS call-back and checking if parent processes have a visible window.

The main program itself is invoked after going through multiple checks and custom C++ exception handling over SEH, filtering out any possibility of being executed in an environment which is trying to analyze the binary or has some module missing in the system. The actual malware is loaded into a code page and executed by pushing the ImageBase offset to the function handling the execution of the malware code.

The malware is seen to make DNS requests to domains which are currently taken down. Historical intelligence confirms that the domains are the attacker’s command-and-control sites. The connections are made by calling Internet Explorer, referencing it’s COM object ID with hidden window state.

Evolving Attacker Infrastructure

During the incident response process, we found the attackers were quick to identify when their domain names were flagged by major web filtering solutions. When discovered, the attackers shifted their entire malware hosting infrastructure from one domain to another, including the URL path. As seen below, the domains were very recently bought – as recently as April 12.

After shifting their infrastructure, we noticed the attackers changed the names of the malware files. Additionally, the attackers disabled directory listing and directory traversal on their web server which prevented our analysts from discovering further malware.

We also noticed the attackers hosted 17 variants of the malware with 4 unique metadata entries for Internal File Name, with some open source threat intelligence reporting the attackers hosted 20 variants. All details are mentioned in the below IOC table.

Protection

The “MITRE ATT&CK” knowledge base extensively covers the techniques often employed by attackers and maps them to various stages in the attack lifecycle. This URSNIF campaign can be detected with the following MITRE techniques:

1.    T1064 – Scripting – Find suspicious script execution from Word documents with WINWORD as the parent process.

2.    T1086 – PowerShell – Find suspicious PowerShell process execution, especially with “-executionpolicy bypass” or “-encodedcommand” parameters.

3.    Suspicious Run Locations – Find executables that are being executed from suspicious or non-standard locations. 

Alternatively, LMNTRIX’s Adaptative Threat Response platform provides complete endpoint security with detection techniques mapped to the “MITRE ATT&CK” framework. With advanced analytics, LMNTRIX platform brings light to threats that otherwise go undetected, along with detailed analysis to provide attack attribution. The LMNTRIX platform includes an inbuilt offline capability which uses machine learning models to classify malicious files and quickly isolates the location and determines the extent of the executable.

Indicator of Compromise

The table below lists the Indicators of Compromise which can help security professionals identify URSNIF activity. The domains hosting c2 and payload are spread across Russia with nameservers in China.

After shifting their infrastructure, we noticed the attackers changed the names of the malware files. Additionally, the attackers disabled directory listing and directory traversal on their web server which prevented our analysts from discovering further malware.

We also noticed the attackers hosted 17 variants of the malware with 4 unique metadata entries for Internal File Name, with some open source threat intelligence reporting the attackers hosted 20 variants. All details are mentioned in the below IOC table.

Protection

The “MITRE ATT&CK” knowledge base extensively covers the techniques often employed by attackers and maps them to various stages in the attack lifecycle. This URSNIF campaign can be detected with the following MITRE techniques:

1.    T1064 – Scripting – Find suspicious script execution from Word documents with WINWORD as the parent process.

2.    T1086 – PowerShell – Find suspicious PowerShell process execution, especially with “-executionpolicy bypass” or “-encodedcommand” parameters.

3.    Suspicious Run Locations – Find executables that are being executed from suspicious or non-standard locations. 

Alternatively, LMNTRIX’s Adaptative Threat Response platform provides complete endpoint security with detection techniques mapped to the “MITRE ATT&CK” framework. With advanced analytics, LMNTRIX platform brings light to threats that otherwise go undetected, along with detailed analysis to provide attack attribution. The LMNTRIX platform includes an inbuilt offline capability which uses machine learning models to classify malicious files and quickly isolates the location and determines the extent of the executable.

Indicator of Compromise

The table below lists the Indicators of Compromise which can help security professionals identify URSNIF activity. The domains hosting c2 and payload are spread across Russia with nameservers in China.

After shifting their infrastructure, we noticed the attackers changed the names of the malware files. Additionally, the attackers disabled directory listing and directory traversal on their web server which prevented our analysts from discovering further malware.

We also noticed the attackers hosted 17 variants of the malware with 4 unique metadata entries for Internal File Name, with some open source threat intelligence reporting the attackers hosted 20 variants. All details are mentioned in the below IOC table.

Protection

The “MITRE ATT&CK” knowledge base extensively covers the techniques often employed by attackers and maps them to various stages in the attack lifecycle. This URSNIF campaign can be detected with the following MITRE techniques:

1.    T1064 – Scripting – Find suspicious script execution from Word documents with WINWORD as the parent process.

2.    T1086 – PowerShell – Find suspicious PowerShell process execution, especially with “-executionpolicy bypass” or “-encodedcommand” parameters.

3.    Suspicious Run Locations – Find executables that are being executed from suspicious or non-standard locations. 

Alternatively, LMNTRIX’s Adaptative Threat Response platform provides complete endpoint security with detection techniques mapped to the “MITRE ATT&CK” framework. With advanced analytics, LMNTRIX platform brings light to threats that otherwise go undetected, along with detailed analysis to provide attack attribution. The LMNTRIX platform includes an inbuilt offline capability which uses machine learning models to classify malicious files and quickly isolates the location and determines the extent of the executable.

Indicator of Compromise

The table below lists the Indicators of Compromise which can help security professionals identify URSNIF activity. The domains hosting c2 and payload are spread across Russia with nameservers in China.

On 2019-04-18