Phishing Campaigns featuring Ursnif Trojan on the Rise

Authored by Jyothi Naveen and Kiran Raj

McAfee Labs has been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam e-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. The purpose of these spam operations is to deliver malicious payloads to as many people as possible.

A recent spam campaign was using malicious word documents to download and execute the Ursnif trojan. Ursnif is a high-risk trojan designed to record various sensitive information. It typically archives this sensitive data and sends it back to a command-and-control server.

This blog describes how attackers use document properties and a few other techniques to download and execute the Ursnif trojan.

Threat Summary

  • The initial attack vector is a phishing email with a Microsoft Word document attachment.
  • Upon opening the document, VBA executes a malicious shellcode
  • Shellcode downloads the remote payload, Ursnif, and invokes rundll32.exe to execute it.

Infection Chain

The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe

Figure 1- flowchart of infection chain
Figure 1- flowchart of infection chain

Word Analysis

Macros are disabled by default and the malware authors are aware of this and hence present an image to entice the victims into enabling them.

Figure 2- Image of what the user sees upon opening the document
Figure 2- Image of what the user sees upon opening the document

VBA Macro Analysis of Word Document

Analyzing the sample statically with ‘oleId’ and ‘olevba’ indicates the suspicious vectors ..

Figure 3- Oleid output
Figure 3- Oleid output
Figure 4- Olevba output
Figure 4- Olevba output

The VBA Macro is compatible with x32 and x64 architectures and is highly obfuscated as seen in Figure-5

Figure 5- Obfuscated VBA macro
Figure 5- Obfuscated VBA macro

To get a better understanding of the functionality, we have de-obfuscated the contents in the 2 figures shown below.

Figure 6- De-obfuscated VBA macro (stage 1)
Figure 6- De-obfuscated VBA macro (stage 1)
Figure 7- De-obfuscated VBA macro (stage 2)
Figure 7- De-obfuscated VBA macro (stage 2)

An interesting characteristic of this sample is that some of the strings like CLSID, URL for downloading Ursnif, and environment variables names are stored in custom document properties in reverse. As shown in Figure-7, VBA function “ActiveDocument.CustomDocumentProperties ()” is used to retrieve the properties and uses “StrReverse” to reverse the contents.

We can see the document properties in Figure-8

Figure 8- Document properties
Figure 8- Document properties

Payload Download and Execution:

The malicious macro retrieves hidden shellcode from a custom property named “Company” using the “cdec” function that converts the shellcode from string to decimal / hex value and executes it. The shellcode is shown below.

Figure 9- Raw Company property
Figure 9- Raw Company property

The shellcode is written to memory and the access protection is changed to PAGE_EXECUTE_READWRITE.

Figure 10- Code of VirtualProtect
Figure 10- Code of VirtualProtect
Figure 11- Shellcode's memory and protection after calling VirtualProtect ()
Figure 11- Shellcode’s memory and protection after calling VirtualProtect ()

After adding the shellcode in memory, the environment variable containing the malicious URL of Ursnif payload is created. This Environment variable will be later used by the shellcode.

Figure 12- Environment variable set in Winword.exe space
Figure 12- Environment variable set in Winword.exe space

The shellcode is executed with the use of the SetTimer API. SetTimer creates a timer with the specified time-out value mentioned and notifies a function when the time is elapsed. The 4th parameter used to call SetTimer is the pointer to the shellcode in memory which will be invoked when the mentioned time is elapsed.

Figure 13- SetTimer function (Execution of shellCode)
Figure 13- SetTimer function (Execution of shellCode)

The shellcode downloads the file from the URL stored in the environmental variable and stores it as “y9C4A.tmp.dll” and executes it with rundll32.exe.

URL hxxp: //docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/
CMD rundll32 “C: Users user AppData Local Temp y9C4A.tmp.dll”, DllRegisterServer
Figure 14- Exports of Downloaded DLL
Figure 14- Exports of Downloaded DLL

After successful execution of the shellcode, the environment variable is removed.

Figure 15- Removal of Environment Variable
Figure 15- Removal of Environment Variable

IOC

TYPE VALUE PRODUCT DETECTION NAME
Main Word Document 6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f McAfee LiveSafe and Total Protection X97M / Downloader.CJG
Downloaded dll 41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547 McAfee LiveSafe and Total Protection Ursnif-FULJ
URL to download dll hxxp: //docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/ WebAdvisor Blocked

MITER Attack Framework

Technique ID Tactic Technical Details Description
T1566.001 Initial Access Spear Phishing Attachment Manual execution by user
T1059.005 Execution Visual Basic Malicious VBA macros
T1218.011 Defense Evasion Signed binary abuse Rundll32.exe is used
T1027 Defense Evasion Technical obfuscation VBA and powershell base64 executions
T1086 Execution Powershell execution PowerShell command abuse

Conclusion

Macros are disabled by default in Microsoft Office applications, we suggest keeping it that way unless the document is received from a trusted source. The infection chain discussed in the blog is not limited to Word or Excel. Further threats may use other live-off-the-land tools to download its payloads.

McAfee customers are protected against the malicious files and sites detailed in this blog with McAfee LiveSafe / Total Protection and McAfee Web Advisor.

The post Phishing Campaigns featuring Ursnif Trojan on the Rise appeared first on McAfee Blog.

Source

Authored by Jyothi Naveen and Kiran Raj

McAfee Labs has been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam e-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. The purpose of these spam operations is to deliver malicious payloads to as many people as possible.

A recent spam campaign was using malicious word documents to download and execute the Ursnif trojan. Ursnif is a high-risk trojan designed to record various sensitive information. It typically archives this sensitive data and sends it back to a command-and-control server.

This blog describes how attackers use document properties and a few other techniques to download and execute the Ursnif trojan.

Threat Summary

  • The initial attack vector is a phishing email with a Microsoft Word document attachment.
  • Upon opening the document, VBA executes a malicious shellcode
  • Shellcode downloads the remote payload, Ursnif, and invokes rundll32.exe to execute it.

Infection Chain

The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe

Figure 1- flowchart of infection chain
Figure 1- flowchart of infection chain

Word Analysis

Macros are disabled by default and the malware authors are aware of this and hence present an image to entice the victims into enabling them.

Figure 2- Image of what the user sees upon opening the document
Figure 2- Image of what the user sees upon opening the document

VBA Macro Analysis of Word Document

Analyzing the sample statically with ‘oleId’ and ‘olevba’ indicates the suspicious vectors ..

Figure 3- Oleid output
Figure 3- Oleid output
Figure 4- Olevba output
Figure 4- Olevba output

The VBA Macro is compatible with x32 and x64 architectures and is highly obfuscated as seen in Figure-5

Figure 5- Obfuscated VBA macro
Figure 5- Obfuscated VBA macro

To get a better understanding of the functionality, we have de-obfuscated the contents in the 2 figures shown below.

Figure 6- De-obfuscated VBA macro (stage 1)
Figure 6- De-obfuscated VBA macro (stage 1)
Figure 7- De-obfuscated VBA macro (stage 2)
Figure 7- De-obfuscated VBA macro (stage 2)

An interesting characteristic of this sample is that some of the strings like CLSID, URL for downloading Ursnif, and environment variables names are stored in custom document properties in reverse. As shown in Figure-7, VBA function “ActiveDocument.CustomDocumentProperties ()” is used to retrieve the properties and uses “StrReverse” to reverse the contents.

We can see the document properties in Figure-8

Figure 8- Document properties
Figure 8- Document properties

Payload Download and Execution:

The malicious macro retrieves hidden shellcode from a custom property named “Company” using the “cdec” function that converts the shellcode from string to decimal / hex value and executes it. The shellcode is shown below.

Figure 9- Raw Company property
Figure 9- Raw Company property

The shellcode is written to memory and the access protection is changed to PAGE_EXECUTE_READWRITE.

Figure 10- Code of VirtualProtect
Figure 10- Code of VirtualProtect
Figure 11- Shellcode's memory and protection after calling VirtualProtect ()
Figure 11- Shellcode’s memory and protection after calling VirtualProtect ()

After adding the shellcode in memory, the environment variable containing the malicious URL of Ursnif payload is created. This Environment variable will be later used by the shellcode.

Figure 12- Environment variable set in Winword.exe space
Figure 12- Environment variable set in Winword.exe space

The shellcode is executed with the use of the SetTimer API. SetTimer creates a timer with the specified time-out value mentioned and notifies a function when the time is elapsed. The 4th parameter used to call SetTimer is the pointer to the shellcode in memory which will be invoked when the mentioned time is elapsed.

Figure 13- SetTimer function (Execution of shellCode)
Figure 13- SetTimer function (Execution of shellCode)

The shellcode downloads the file from the URL stored in the environmental variable and stores it as “y9C4A.tmp.dll” and executes it with rundll32.exe.

URL hxxp: //docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/
CMD rundll32 “C: Users user AppData Local Temp y9C4A.tmp.dll”, DllRegisterServer
Figure 14- Exports of Downloaded DLL
Figure 14- Exports of Downloaded DLL

After successful execution of the shellcode, the environment variable is removed.

Figure 15- Removal of Environment Variable
Figure 15- Removal of Environment Variable

IOC

TYPE VALUE PRODUCT DETECTION NAME
Main Word Document 6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f McAfee LiveSafe and Total Protection X97M / Downloader.CJG
Downloaded dll 41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547 McAfee LiveSafe and Total Protection Ursnif-FULJ
URL to download dll hxxp: //docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/ WebAdvisor Blocked

MITER Attack Framework

Technique ID Tactic Technical Details Description
T1566.001 Initial Access Spear Phishing Attachment Manual execution by user
T1059.005 Execution Visual Basic Malicious VBA macros
T1218.011 Defense Evasion Signed binary abuse Rundll32.exe is used
T1027 Defense Evasion Technical obfuscation VBA and powershell base64 executions
T1086 Execution Powershell execution PowerShell command abuse

Conclusion

Macros are disabled by default in Microsoft Office applications, we suggest keeping it that way unless the document is received from a trusted source. The infection chain discussed in the blog is not limited to Word or Excel. Further threats may use other live-off-the-land tools to download its payloads.

McAfee customers are protected against the malicious files and sites detailed in this blog with McAfee LiveSafe / Total Protection and McAfee Web Advisor.

The post Phishing Campaigns featuring Ursnif Trojan on the Rise appeared first on McAfee Blog.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Threat Intelligence Services Are Universally Valued by IT Staff

Almost all IT professionals believe that threat intelligence services and feeds will help their company get ready for and repulse malware attacks. Only...

Black Basta may be an all-star ransomware gang made up of former Conti and REvil members

The group has targeted 50 businesses from English speaking countries since April 2022. ...

APAC companies are failing to build successful digital models: Forrester

Approximately 61% of APAC organizations have failed to build robust and successful digital business business models, primarily due to unsound practices of enterprise architecture...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!