New malware campaign distributing Ursnif banking trojan uses fileless technique

• The new malware campaign distributing Ursnif banking Trojan uses PowerShell to achieve fileless persistence to avoid detection.
• This malware campaign uses an already well-known payload delivery method which employs Microsoft Word documents containing a malicious VBA macro.

Cisco's Advanced Malware Protection (AMP) Exploit Prevention engine detected a new malware campaign distributing the Ursnif banking Trojan. It uncovered that the malware campaign uses Powershell to achieve fileless persistence to avoid detection from antimalware solutions.

Ursnif trojan also known as Gozi ISFB, is a variant of the original Gozi banking Trojan, which leaked its source code online in 2014.

Malicious VBA Macro

Researchers from Cisco Talos discovered that this malware campaign uses an already well-known payload delivery method which employs Microsoft Word documents containing a malicious VBA macro.

• The malicious VBA macro, if enabled, will automatically run using AutoOpen.
• Otherwise, the malicious document displays an image prompting users to enable the macros feature.
• The malicious VBA macro contains a single line which is important to execute the next infection stage by executing PowerShell.
• This single line accesses the AlternativeText property of the Shapes object ‘j6h1cf’.
• The value of this property is the malicious PowerShell command, which is eventually executed by the Shell function.
• The malicious Powershell command is base64 encoded and it is the one that downloads the Ursnif executable from its C&C server to the AppData directory and executes it.
• Once the Ursnif executable is downloaded and executed, registry data is created for the next stage of infection.
• The PowerShell command for the next stage of infection exists in the value of the APHohema key.
• This PowerShell command uses Windows Management Instrumentation Command-line (WMIC) to execute PowerShell, which extracts the value of the Authicap key to execute it.

“ The value of the Authicap key is a hexadecimal-encoded PowerShell command. The WMIC command makes use of /output:clipboard as a way to hide the normal output of process creation that is printed when creating a process with WMIC,” John Arneson of Cisco Talos explained in a blog.

Three parts

There are three parts to the hexadecimal-encoded PowerShell command.

• The first part creates a function which is used to decode base64 encoded PowerShell.
• The second part creates a byte array containing a malicious DLL.
• The third part executes the base64 decode function created in the first part, with a base64 encoded string as the parameter to the function.

APC Injection

The shorthand Invoke-Expression (iex) function executes the decoded PowerShell, which is then used to execute an Asynchronous Procedure Call (APC) Injection.

• The APC injection starts by allocating memory for the malicious DLL with VirtualAllocEx, targeting the current process.
• Once the allocation is successful, it then copies the malicious DLL into the newly allocated memory with Copy.
• Once the malicious DLL is copied to the newly allocated memory, QueueUserAPC is executed, specifying the current thread within its process.

“ This creates a user-mode APC and queues it within the thread. To execute the malicious DLL from the APC queue, the thread needs to enter an alertable state. SleepEx is used to trigger an alertable state completing the APC injection, by specifying 1 (True) for its second parameter which is bAlertable,” the blog read.

After successful infection, the Ursnif banking trojan makes C2 requests over HTTPS, which contains the data in a CAB file format, prior to exfiltration.