Researchers warn about a new wave of attacks with an information-stealing Trojan called Ursnif that uses PowerShell and fileless execution mechanisms, making it harder to detect. Some of the attacks also deploy the GandCrab ransomware.
Ursnif, also known as Dreambot, has been around for some time and initially focused on stealing emails and online banking credentials from browsers. However, the Trojan has modules that extend its functionality and has recently been used to deploy other malware as well.
For example, researchers from Carbon Black have observed a spam campaign over the past month that distributes Ursnif, which in turn installs the GandCrab ransomware. “The overall attack leverages several different approaches, which are popular techniques amongst red teamers, espionage focused adversaries and large scale criminal campaigns,” the Carbon Black researcher said in a new report.
The attack chain starts off with spam emails that carry Word documents containing malicious macro scripts. The macros are obfuscated with junk code but are designed to execute an encoded PowerShell command stored in the Alternate Text field of an object inside the document.
Document macros and PowerShell scripts have been extensively abused to install malware on computers over the past few years because attackers like to live off the land and these features are present by default in Windows and Microsoft Office.
Ursnif’s PowerShell script downloads a payload from a hard-coded command-and-control server and executes it directly in memory. This second payload then downloads another file in raw form from pastebin.com and injects it into the PowerShell process. The final payload is version 5.0.4 of GandCrab, a ransomware program sold on underground markets as a service, where its creators allow other cryber criminals to use it for a cut of the profits. There’s already a decryption tool available for some GandCrab variants, but this appears to be a newer version.
Security researchers from Cisco Systems’ Talos group have also seen and analyzed recent Ursnif campaigns and published a technical report that explains its infection chain in detail. According to them, Ursnif doesn’t just load malicious code directly in memory. It also manages to remain persistent across reboots while remaining fileless. It achieves this by storing an encoded PowerShell command inside a registry key and later launching it using the Windows Management Instrumentation Command-line (WMIC).
The malware stores the stolen data in packed CAB files and sends it to command-and-control servers using encrypted HTTPS connections, making it difficult for data leak prevention solutions to detect the traffic.
“Ursnif is a fan of ‘fileless’ persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic,” the Cisco Talos researchers said. “Additionally, Ursnif uses CAB files to compress its data prior to exfiltration, which makes this malware even more challenging to stop.”
Both Cisco Talos and Carbon Black have included indicators of compromise such as file hashes, URLs and other artifacts, in their respective reports, and Carbon Black also released YARA rules that could help network defenders and incident responders detect such infections.