Latest Ursnif variant targets Japanese users to steal credentials

• The new variant comes with added advanced functionalities to evade detection by security tools.
• Delivery methods of this trojan are mainly tailored to affect Japanese user systems.

Notorious info-stealing trojan Ursnif is back again with a new variant this year. The latest variant packs a host of advanced features to combat early detection by security tools.

According to a detailed analysis by security firm Cybereason, Ursnif comes with enhanced stealing modules, in addition to using improved delivery methods through another trojan Bebloh.

Worth noting

• The latest variant has a stealthy persistence mechanism to overcome detection by various security tools.
• It also packs a cryptocurrency and disk encryption module likely meant for different operations.
• An Anti-Phishwall module to deal with Phishwall (a Japanese security tool) is also present.
• Modified VBA code now checks for Japanese language settings in affected systems. A PowerShell command also analyzes for the same.
• A location check is performed to ensure that the affected machine is in Japan.

What are the techniques used - Just like the earlier version, this variant uses steganography to hide malicious content which is decrypted by the PowerShell code. This decrypted code is based on the PowerSploit framework that uses a Portable Executable module for loading and executing the Bebloh’s payload.

Following this process, Bebloh drops Ursnif into the system which is completely compromised upon execution of the latter. Further technical details on the trojan can be found at the Cybereason blog.

What are its capabilities and targets - Cybereason indicated that the variant matches another trojan with similar functionalities. “Based on our code analysis, the newly observed variant bears great resemblance to the Dreambot variant. However, it lacks some commonly observed built-in features like the Tor client and VNC module,” the researchers wrote.

Moreover, this variant was found to aggressively target Japanese users. The specific features built into this variant are an indication of this fact. In addition, telemetry also confirmed its main activity in Japan.