By John Arneson.
Cisco Talos once again spotted the Ursnif malware in the wild. We tracked this information stealer after Cisco's Advanced Malware Protection (AMP) Exploit Prevention engine alerted us to these Ursnif infections. Thanks to AMP, we were able to prevent Ursnif from infecting any of its targets. The alert piqued our curiosity, so we began to dig a bit deeper and provide some recent IoCs related to this threat, which traditionally attempts to steal users' banking login credentials and other login information. Talos has covered Ursnif in the past, as it is one of the most popular malware that attackers have deployed recently. In April, we detected that Ursnif was being delivered via malicious emails along with the IceID banking trojan.
Malicious Office document
The Ursnif sample from the alert comes from a Microsoft Word document containing a malicious VBA macro. The document is straightforward, simply displaying an image that asks the user to enable macros. If macros are already permitted, the macro is executed automatically when opening the document via the AutoOpen function.
The macro is mostly obfuscated code that executes math functions on data that does not relate to the next stage. There is only one line in the macro that is important to executing the next stage, ultimately executing PowerShell.
Interaction@.Shell RTrim(LTrim(Shapes("j6h1cf").AlternativeText)), 84 * 2 + -168
This line accesses the AlternativeText property of the Shapes object "j6h1cf." The value of this property is the malicious PowerShell command, which is subsequently executed by the Shell function. The PowerShell command is base64 encoded, and is another PowerShell command that downloads Ursnif. Specifically, it downloads an executable from its C2 to the AppData directory and executes it. Note, this is where the Exploit Prevention engine stops executing the downloaded file and provides us with alerts to investigate.
After the Ursnif executable is downloaded and executed, registry data is created that is important for the next stage of execution.
The PowerShell command for the next stage of execution resides in the value of the APHohema key, as shown in the image above.
This command uses Windows Management Instrumentation Command-line (WMIC) to execute PowerShell, which extracts the value of the Authicap key to execute it. The value of the Authicap key is a hexadecimal-encoded PowerShell command. The WMIC command makes use of /output:clipboard as a way to hide the normal output of process creation that is printed when creating a process with WMIC.
C:\WINDOWS\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\236FF8AB-268A-4D1B-4807-BAD1FC2B8E95').Authicap))"
The hexadecimal-encoded PowerShell command executed from Authicap decodes to a large PowerShell command, of which the most interesting part is base64-encoded. There are three parts to the command. The first part creates a function that is later used to decode base64 encoded PowerShell. The second part creates a byte array containing a malicious DLL. The third part executes the base64 decode function created in the first part, with a base64 encoded string as the parameter to the function. The returned decoded PowerShell is subsequently executed by the shorthand Invoke-Expression (iex) function.
The decoded base64 PowerShell that is executed by iex is used to execute an Asynchronous Procedure Call (APC) Injection.
The first part of the command creates two variables that import kernel32.dll. In this case, the variables are $igaoctlsc and $gdopgtvl, as seen being established by the Add-Type cmdlet.
The APIs imported from kernel32 are:
After the imports are established, the last portion is a single line that performs the APC Injection via the QueueUserAPC API. Here is the simplified form of that single line, with more readable formatting and normalized variable names.
The injection starts by allocating memory for the malicious DLL with VirtualAllocEx, targeting the current process. If the allocation is successful, it then copies the malicious DLL into the newly allocated memory with Copy. Once that is completed, QueueUserAPC is executed, specifying the current thread within its process. This creates a user-mode APC and queues it within the thread. To execute the malicious DLL from the APC queue, the thread needs to enter an alertable state. SleepEx is used to trigger an alertable state completing the APC injection, by specifying 1 (True) for its second parameter which is bAlertable.
After infection, the C2 requests are made over HTTPS. Intercepting the traffic, we are able to see the contents of the requests. The most interesting part of the requests is that the data is put into a CAB file format, prior to exfiltration.
URI Format Strings
- type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s\
User-Agent Format String
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
The CAB files containing the data to be exfiltrated are stored in %TEMP%, with the filename format being four hexadecimal characters and a .bin extension. As Ursnif logs data to be exfiltrated, it creates CAB files to store the data with the built-in makecab.exe command. The command targets a created MakeCab directive file in the %TEMP% directory. The images below shows the created CAB files in %TEMP% and the MakeCab directives.
Inside the created CAB files are plaintext data in the format:
<Current Date and Time> <Process Path> <Window Text> <Keystrokes Logged>
Talos continues to monitor these threats as they evolve to ensure that defenses protect our customers. We strongly encourage users and organizations to follow recommended security practices, such as installing security patches as they become available, exercising caution when receiving messages from unknown third parties, and ensuring that a robust offline backup solution is in place. Ursnif uses CAB files to compress its data prior to exfiltration, so being aware of what challenges that will present will assist you in protecting and monitoring your environment. To help with the detection of this malware, we are providing readers with a list of IOCs below that can help you identify and stop Ursnif before it infects your network.
Indicators of Compromise (IOCS)
Here are some recent IOCs from our tracking of Ursnif.
C2 Server Domains:
Note, that filenames are hardcoded in the first PowerShell command executed, and vary by sample. This means that these indicators aren't necessarily malicious on their own as filenames might collide with benign ones. If found with other indicators, its likely a Ursnif infection.