The Ursnif trojan, which has been active for the past few months, has been observed infecting several organizations in Italy.
Unlike the previous attacks, this time the trojan does not leverage steganography or heavily obfuscated PowerShell payloads for propagation. Instead, it uses malicious VBScript scripts that comes hidden within phishing emails.
How does it work - According to the researchers from Cybaze-Yoroi ZLab, the attack begins with users receiving phishing emails that have a reference to ‘summon’. The email comes attached with a hyperlink named ‘Decreto’. Once the users click on the link, they are redirected to a Google Drive web page that opens a fake page. This fake page contains fake documents and asks the victims to click on a download link.
This link, if opened, downloads an archive onto the victims’ machines from blogger[.]scentasticyoga[.]com, embedding two different files. These two files are: an obfuscated Visual Basic Script (VBS) and a legit image to deceive the victims.
What is the role of the VB script - The malicious VBScript code works as a shield against antivirus products. It helps the Ursnif trojan to evade detection while continuing the infection process. The values of the script are manipulated in different steps using many mathematical operations, very long random variable names and Base64 encoding format.
“The malicious routine is split into many slices and then recombined at runtime, quite basic but it is an effective evasion technique. After a first de-obfuscation phase, a more readable code could be obtained,” said the researchers.
Investigations of the remote C2 server shows that the attack campaign is active since March 5, 2019.
The bottom line - Experts note that Ursnif is one of the most active and aggressive malware spreading across Italian cyber-landscape. Threat actors behind these attacks constantly update and vary their infection chains to avoid security controls and avoid antivirus detection.