The Ursnif banking Trojan, one of the most notorious forms of malware targeting financial data, has been observed in a sophisticated campaign using advanced techniques to avoid detection and steal sensitive information.
Recently analyzed by Cyble Research and Intelligence Labs (CRIL), this campaign primarily targets business professionals in the United States, employing the Ursnif trojan to infiltrate systems through a multi-stage, stealthy attack.
Key Details of the Ursnif banking Trojan Attack
CRIL’s research reveals a malicious campaign that begins with a seemingly harmless LNK (shortcut) file, which is disguised as a PDF document. The file is typically delivered via spam emails, potentially containing ZIP archives. When unsuspecting users open this file, it triggers a series of commands that ultimately execute the Ursnif banking trojan on the compromised system.
The campaign’s sophistication lies in its ability to execute all malicious activities entirely in memory, making it difficult for traditional security solutions to detect the threat. The Ursnif trojan, once installed, connects to a Command and Control (C&C) server and starts downloading additional malicious payloads, which enable the attacker to steal sensitive data from the infected machine.
The Infection Process
The infection chain begins when a ZIP file containing a malicious LNK file is opened. The LNK file, which looks like a PDF named “staplesds02_23.pdf,” is actually a double extension (.pdf.lnk), designed to deceive users into thinking it is a legitimate document.
Upon execution, the LNK file invokes the Windows utility certutil.exe, which decodes and executes the next-stage payload: a malicious HTML Application (HTA) file.
The HTA file, executed by mshta.exe, contains a VBScript that serves two purposes: it displays a PDF lure document to mislead the victim and drops a malicious DLL file onto the system. This DLL file acts as a loader, decrypting additional payloads embedded within it. The payload includes shellcode and another DLL file, both of which are responsible for executing the Ursnif core component.
Evasion Tactics of the Ursnif Trojan
What makes the Ursnif banking Trojan particularly dangerous is its ability to operate entirely in memory, leaving little trace on the infected system’s disk. The DLL loader decrypts the shellcode, which then loads the next stage of the attack—another DLL file. This second-stage DLL file contains the core Ursnif trojan, which connects to the attacker’s C&C server and starts exfiltrating sensitive information from the victim’s machine.
Ursnif’s evasion techniques include the use of well-known system utilities such as certutil.exe and mshta.exe, which are commonly trusted by security tools. By leveraging these utilities, the Trojan can bypass many traditional security checks, making detection more difficult.
Technical Analysis of Ursnif’s Payload
Once the malicious LNK file is executed, the first step in the attack is the use of certutil.exe to decode Base64-encoded data embedded in the file. This data, when decoded, results in the creation of an HTA file. The HTA file then extracts and displays a decoy PDF document while simultaneously dropping the malicious DLL into the system’s temporary folder.
The next phase involves the execution of the DLL file using regsvr32.exe, which registers the DLL as a system component. The DLL functions as a loader, decrypting encrypted resources embedded within it, including shellcode and another DLL that is crucial for executing the Ursnif banking trojan.
The shellcode, once decrypted, is responsible for loading a second-stage DLL into memory, which serves as the core Ursnif component. This stage enables the Trojan to establish a connection to the C&C server, which facilitates the downloading of additional modules designed to steal data from the infected machine.
Communication with the C&C Server
After the Ursnif core module is loaded, it communicates with the attacker’s C&C server to retrieve further payloads. This communication is encrypted and uses a custom format that is specifically crafted to avoid detection. The malware uses APIs such as CryptAcquireContextW and CryptEncrypt to secure the communication with the server, making it more challenging for security solutions to identify the malicious activity.
Upon receiving a response from the C&C server, the malware prepares to download additional malicious payloads, which could include further malware or tools to escalate the attack. The malware even implements advanced features such as creating a mutex to ensure only one instance of the malware runs at a time, further evading detection.
Conclusion
The Ursnif banking trojan represents a new wave of highly advanced malware that leverages advanced techniques to bypass traditional security defenses. By exploiting legitimate system utilities and executing everything in memory, Ursnif is able to evade detection while stealing sensitive data.
Cyble recommends the use of advanced detection systems, including behavior-based monitoring, to identify unusual activity. Organizations should be vigilant about email attachments and links, implement stronger email filtering, and closely monitor the use of system utilities like certutil.exe and mshta.exe. Additionally, deploying EDR solutions, enforcing least privilege policies, and using behavior-based detection can further mitigate the risk of such attacks.
