Attack Combines Phishing, Steganography, PowerShell to Deliver Malware
URLZone Morphs Into a Downloader for Ursnif
Researchers have discovered a malware campaign targeting Japan and combining phishing, steganography, PowerShell, and the URLZone and Ursnif malwares.
The basic process described in a new report from Cybereason is a malspam campaign with a weaponized Excel document containing a PowerShell script that downloads steganographic images. The script extracts further Base64 and AES-encrypted and compressed PowerShell code from the images. This code subsequently downloads a stripped-down version of URLZone which is then used as a downloader for the Ursnif banking trojan.
The key elements of the campaign are that it is finely targeted against Japanese users, and that URLZone has been repurposed as an evasive downloader. The combination of PowerShell and steganography to deliver URLZone is an evasive technique to avoid detection.
The targeting comes first via the malspam campaign, and secondly through a series of location checks by the malware. The initial excel file uses a VBA macro to check the machine’s country setting. If it is not ‘Japan’, the application closes; otherwise it proceeds. This script downloads, extracts and decodes more PowerShell code via a 600×600 pixel image. The extracted code then retrieves the initial payload, again steganographically hidden. The payload is extracted and decrypted — and at this point a further geographic/language check is made. It uses the function (&Get-Culture).LCID to access the machine’s language identifier and uses it as part of the decryption routine.
The initial payload is basically URLZone. URLZone, aka Bebloh and Shiotab, is a banking trojan that first appeared in 2009. It uses man-in-the-browser techniques and Windows API call-hooking to steal banking information. Its use against Japanese targets is not uncommon.
In this instance, however, it has been repurposed from a banking trojan into a downloader. More specifically, say the researchers, “the banking trojan capabilities were effectively stripped from this variant. In this variant, URLZone is used solely as a downloader for additional malware.”
It seeks to evade detection and analysis through a series of anti-analysis checks. It checks the CPU brand, and if it is ‘Xeon’, the malware exits. It checks for Sandboxie, VirtualBox, and VMware. It performs an anti-debugging check and checks for the strings, ‘sample’, ‘virus’, and ‘sandbox’ in the process path. Finally, it creates a mutex with a string based on the name and install date of the machine, and if the mutex already exists, the malware terminates.
If all is well, URLZone launches explorer.exe and injects into it. (If this fails for any reason, it launches iexplorer.exe and injects there.) It initializes explorer.exe in suspended mode, creates a memory-mapped section, and writes itself to it. It writes shellcode to the memory of the suspended explorer.exe, which loads the portable executable written to the memory-mapped section of explorer.exe.
This version of URLZone is a downloader. It checks connectivity with Google and attempts to connect to a hardcoded C2 server. If this connection fails, if the server is off-line or has been taken down, it uses a DGA to find an alternative C2 (the DGA uses the previous domain as the seed for the newly generated domain name).
The C2 returns a list of addresses to URLZone, from which it downloads additional malware, writes it to a randomly named folder within the temp folder, and executes it. In this campaign, the final downloaded malware detected by Cybereason was the Ursnif banking trojan. New versions of Ursnif have been common since the source code was leaked in 2015, and Cybereason reported on an earlier Ursnif campaign, also targeting Japan, in March 2019. “The new variant,” say the researchers, “features a stealthy persistence mechanism, revamped information-stealing modules focusing on mail clients and cryptocurrency, and targets Japanese security products.”
Related: Kronos Banking Trojan Has Returned