Ursnif Trojan Uses Fileless Persistence and CAB for Stealthily Data Exfiltration
In addition to employing a fileless attack technique, the Ursnif Trojan has been using CAB files to compress harvested data before exfiltration in recent attacks, Cisco Talos security researchers reveal.
The Trojan has been around for over half a decade, mainly focused on stealing users’ banking credentials, along with other sensitive information from the infected systems.
Ursnif, Talos says, is “one of the most popular malware that attackers have deployed recently.”
The recently observed Ursnif distribution campaign leveraged a Microsoft Word document containing a malicious VBA macro for the distribution of the malware. The document contains an image that asks the intended victim to enable content.
If Office already allows such code to run, the macro is automatically executed when the document is open, via the AutoOpen function, Talos’ researchers say.
Mostly obfuscated, the macro contains one line of code to accesses the AlternativeText property of the Shapes object “j6h1cf,” a base64-encoded PowerShell command to download Ursnif from its command and control (C&C) server and to execute it.
Registry data is created for the next stage and Windows Management Instrumentation Command-line (WMIC) is used to run PowerShell to extract the value of the APHohema key, which is a hexadecimal-encoded PowerShell command.
This command creates a function later used to decode base64-encoded PowerShell, creates a byte array containing a malicious DLL, and executes the base64-decode function. This results in another PowerShell, which is run by the shorthand Invoke-Expression (iex) function to execute an Asynchronous Procedure Call (APC) Injection.
The injection first allocates memory for the malicious DLL with VirtualAllocEx, targeting the current process, then copies the malicious DLL into the newly allocated memory.
After the infection process has been completed, the malware makes C&C requests over HTTPS. Analysis of this traffic reveals the use of the CAB file format to store the harvested data prior to exfiltration.
“Ursnif is a fan of ‘fileless’ persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic. Additionally, Ursnif uses CAB files to compress its data prior to exfiltration, which makes this malware even more challenging to stop,” Talos concludes.
“This is just the latest example of how anti-virus and signature-based security tools are easily bypassed by creative hackers,” Ray DeMeo, Co-Founder and COO at Virsec, told SecurityWeek. “There are hundreds of sophisticated hacker tools readily available, that can be morphed into endless numbers of new-looking attacks with new signatures that aren’t recognized. We need to assume these threats will continue to get through and focus on stopping what the attackers are trying to achieve – corrupting applications, stealing valuable data or causing business disruption. We need to move beyond endless threat chasing to definitively protect the crown jewels – critical applications and infrastructure.”