Fidelis Cybersecurity has been investigating a new variant of Ursnif, a family of trojans that captures and reports information about user activity back to the attacker. We recently observed the variant distributed in phishing runs designed to appear as legitimate banking-related emails. On infected hosts, it attempts to perform webinjects to capture credentials for major U.S. banking sites, including Citibank, JPMorgan Chase, USAA and Capital One. Interestingly, it takes screenshots when victims visit a variety of Italian sites, such as Unicredit, Poste and Relax Banking. To evade detection, it also blocks access to a surprisingly large number of security-related websites. What specifically grabbed our attention was the change in command-and-control traffic that distinguishes it from standard Ursnif.
Even as ransomware dominates the headlines, banking trojans are a profitable mainstay of the criminal domain. As recently reported, ransomware like CryptXXX has acquired credential-theft capabilities, signaling a marriage of sorts within the crime family. Banking trojans have been the vehicle for numerous innovations in malware over the years. These developments in Ursnif show us that technical investment across the crime domain continues. The targeting of Italian and U.S. financial institutions also points to the global scope of opportunity for such criminal actors.
This post covers our analysis of these changes and how we reversed them. Further, we share configuration details as well as IOCs.
Once launched, it then downloads Andromeda, which is commonly used to deliver other malware. Using RC4 encryption, Andromeda will check in with its panel to retrieve a list of modules, or payloads, to download. In this case, Andromeda downloaded a variant of Ursnif, along with Pony malware. This variant has been tracked by other researchers and is notable in that it uses a /images/ structure in its C2 communications, as seen in the example traffic later in this post.
After being unpacked and decoded, it's clear that this variant contains strings commonly associated with Ursnif. It also contains the strings associated with Rovnix and Gozi. This is likely why many researchers have been calling it Ursnif/ISFB/Gozi. There appears to be, at the very least, two versions of Ursnif in use for different purposes. One has been heavily reported as a fileless Ursnif variant delivering POS malware and has also recently been called PowerSniff. This variant, however, doesn’t appear to have the same C2 traffic, as the string appears almost base64-ish in nature and the strings allude to it being more focused on form-grabbing and web-injection.
As it turns out, this variant actually has the normal Ursnif traffic – except that it is encrypted and encoded to hide. After unpacking the DLL, we can either decode the strings section -- or as luck would have it, the malware will do it for us -- and copy the decoded section right over the old one. After that, looking at it in IDA becomes significantly easier.
Now that we can see the decoded strings and we can even see where the version number is passed in, finding the point where the traffic is created becomes a little easier.
After being generated, Ursnif will then generate a random url variable that's prepended to the previously generated traffic string. The reason it prepends this will become apparent later, as the string will be encrypted in CBC (Cipher Block Chaining) mode and so the random data at the beginning will cause the traffic string to differ every time.
After it is concatenated onto the newly generated random URL variable, the string is passed off to a function to be encrypted and base64 encoded. In this case, the encryption used was Serpent, a runner-up for AES. We can identify this algorithm by narrowing in on a particular loop in the code where it uses the magic number 0x9e3779b9 and loops 0x84 times (when going by DWORD values).
This can be seen in a C implementation of this algorithm below.
Unlike most of the implementations found online, the one in Ursnif involves CBC. After finding a good implementation of the algorithm using the ECB (Electronic Codebook) written by Bjorn Edstrom and studying the description of CBC, we can turn this Python code into a CBC mode for testing fairly easily, as the bot uses an IV of 16 NULL bytes.
Next, the bot passes the string to a function that will enumerate all characters in the string, looking for ‘/’ and ‘+’ characters. When found, they will be converted into their hex form preceded by an underscore such as ‘_2F’.
Next, the string is passed off to a function that will add random slashes to the string in order to make it look more like a URL string.
The URL string is finished by adding either a .bmp or .gif extension to the end and appending the entire string to /images/ and then appending the combined string to the domain or domain-and-URL combination in the bot.
After finally checking in, the bot will get a fairly large U.S. config and the targets are included below. This run of Ursnif appears to be spammed to both the U.S. and Italy, which makes sense, given the targets are primarily businesses based in these countries. However, Ursnif itself has basic form-grabbing capabilities, so any site or application that an infected user logs into could potentially be compromised. Attackers are stealing log-in credentials and, in some instances, screenshots.
Ursnif continues to see investments and remains a potent banking trojan. As with other banking trojans, the use of multi-factor access (MFA) controls is the best countermeasure to protect against such man-in-the-browser attacks. Small businesses as well as individuals with significant assets should try to separate their at-risk activities like email and casual browsing from access to online banking accounts.
Ursnif C2 traffic:
Blocks Access to:
-- Fidelis Threat Research Team researcher Jason Reaves