Aug 17, 2014
Breaking News: Sed ut perspiciatis, unde omnis iste natus error sit voluptatem accusantium doloremque laudantium

Tag: phishing

URSNIF VARIANT FOUND USING MOUSE MOVEMENT FOR DECRYPTION AND EVASION

00Malware, Malware analysis, Phishing, TrojanTags: , , , , ,

URSNIF VARIANT FOUND USING MOUSE MOVEMENT FOR DECRYPTION AND EVASION

 

In January 2016 Forcepoint Security Labs reported an email campaign delivering the Ursnif banking Trojan which used the ‘Range’ feature within its initial HTTP requests to avoid detection.

In July 2017 we discovered a malicious email sample delivering a new variant of Ursnif, attached within an encrypted Word document with the plaintext password within the email body. As recorded in several other Ursnif campaigns reported since April 2017, this Word document contains several obfuscated VBS files which load malicious DLLs through WMI.

However, these samples appear to exhibit new features including anti-sandboxing features that use a combination of mouse position and file timestamps to decode their internal data and the ability to steal data from the Thunderbird application.

 

ANALYSIS

A sample lure email for this campaign is shown below:

Once decrypted, it shows three OLE document icons with the extension “docx”, which will lure users to double click them directly (see below):

In fact, their file properties show they are three identical VBS scripts, including same highly obfuscated code padded with lots of garbage scripts to cover up normal logic.

Once triggered, it tries to download malware from ‘hxxp://46.17.40[.]22/hyey.pnj’. If this fails, a second attempt will be made to another site: ‘hxxp://inshaengineeringindustries[.]com/head.pkl’. These files are in fact DLL files which have been designed to be loaded through WMI:

rundll32 [malwarepath] DllRegisterServer

This malicious DLL is packed and again padded with lots of garbage code to hamper static analysis attempts. During execution, it will drop a second DLL file, map this new DLL to the current address, fix the Import Address Table and Relocation Table, then finally jump into the entry point to execute.

The dropped DLL first does self-checking on integrity and then:

  • Performs anti-sandboxing checks
  • Performs anti-VM checks
  • Implements persistence through an autorun registry key
  • Injects itself into the ‘explorer.exe’ process

The remainder of this analysis will focus on the new mouse-based anti-sandboxing/decryption capabilities.

Anti-Sandboxing Checks

The algorithm used by this sample uses the difference between the current and previous recorded mouse coordinates to detect mouse movement and avoid sandbox environments where the mouse is not usually moved. It further uses the value generated by this process to ‘brute force’ its own decryption key.

Step One – Key Generation

Firstly, the malware calculates the D-Value (delta) between the x- and y-coordinates of the last and current mouse position. It then selects the sum of the .BSS section’s Relative Virtual Address (RVA) and ‘SizeOfRawData’ value as a base seed.

It XORs the base seed with the file creation time (in this case ‘Apr 11 2017’) to get a value which is added to the lowest 5 bits of the mouse D-Value to get the decryption key.

Step Two – Decode .BSS Section

The malware loops through the .BSS section of the DLL one DWORD at a time, XORing the current DWORD data with the last DWORD data. This value is then XORed with the decryption key generated above and right-rotated by the loop count. The ‘current’ DWORD is then replaced.

Step Three – Verify The Deciphering Key

After .BSS section data is decoded, three values are acquired from offsets 0x61d, 0x619, and 0x625 in the .BSS section, and their sum compared with checksum ‘0EE553B4E’. If this matches, it will execute the rest of the code, otherwise it has to restore the encrypted .BSS section raw data and try to re-calculate new key for another attempt at the decryption and verification operation.

If run in sandbox environment, since the D-value based on the mouse movement always is 0, the ‘BSS’ section is always inaccurately decoded and will loop execution of same code. While in a realistic environment, due to only using the lowest 5 bits of D-value rather than the full 32 bits, it is more likely to get correct value to decode section data.

The decryption key itself is an important global constant which will be used in subsequent code to decode APIs, a hidden PE file (DLL file in this variant), synchronous objects, Registry data, URLs, etc.

In addition, the decoding operations are implemented at run time, preventing memory analysers from dumping the whole plaintext string stream of malware memory, e.g.

Decoding Windows APIs used for further injection operations:

With the aid of the decryption key, an additional embedded PE file (a 3rd DLL file) can be safely extracted from data section of the second DLL file, released to a temporary buffer, and injected into the ‘explore.exe’ process.

 

CONCLUSION

Ursnif spreads itself through emails provided with a plaintext password for an attached encrypted document. In general, this method is used by senders when the attached documents contain sensitive content. In recent years, this method is widely leveraged by threat actors, who want to ensure their payload successfully bypasses IDS detection and to deceive recipients to firmly believe that the mail may contain important information.

Overall, Ursnif is well concealed: it communicates with C2 servers via Tor, limiting its traceability, and is equipped with anti-sandbox and anti-VM techniques.

You value our work? Please support us 

 

Nemucod Evolves Delivery and Obfuscation Techniques to Harvest Credentials

00Featured news, Latest news, Malware, Phishing, ReverseEngineeringTags: , , ,

Recently the Unit 42 research team have been investigating a wave of Nemucod downloader malware that uses weaponized documents to deploy encoded, and heavily obfuscated JavaScript, ultimately leading to further payloads being delivered to the victim. From a single instance of the encoded JavaScript discovered in one version of this malware, we pivoted on the Command and Control (C2) IPv4 address discovered during static analysis and deobfuscation, using our Threat Intelligence Service AutoFocus, unearthed many more versions of the malware and found that the versions seen to date were delivering a credential-stealing Trojan as the final payload.

Over the past five months they have tracked this campaign of Nemucod malware in various industry sectors across multiple countries with Europe amassing the highest number of attacks, followed by the United States of America and then Japan (as can be seen in Figure 1).

nemucod_1

Figure 1: Nemucod Destination Countries by session volume.

nemucod_2

Figure 2: Target Industries by session volume.

Spain was the single most affected country, as shown in Figure 1, with the Professional and Legal Services sector, as shown in Figure 2, contributing the most towards that and also towards Belgium’s total volume as well. Utilities was next, almost exclusively in France; Healthcare was primarily made up again from volume seen in Spain; Energy, towards the end of the list of Top 10 industries shown in Figure 3, was mostly due to activity in the United Kingdom; the Securities and Investments sector was mostly made up from traffic in the United States of America, United Kingdom and Norway. Malicious traffic seen in Japan was due to attacks seen in High Tech industries.

nemucod_3

Figure 3: European Countries by session volume.

Much of the malware arrived by email (using SMTP, POP3 and IMAP applications) as shown in Figure 4, the vast majority of which originated from Poland or at least using source email addresses with Polish domain names. Recipient email addresses varied but many seem valid based on names and linked-in account details. A small proportion of the sessions seen were over the web-browsing application being downloaded from websites resolving to IP addresses in Moldova, which will be discussed in more detail later.

nemucod_4

Figure 4: Nemucod network application by session volume

The remainder of this blog describes the evolution of the malware since that time, as well as other topics:

  • Weaponized document evolution.
  • Insight into the possible workflow and setup of the attackers, including their infrastructure.
  • Obfuscation and social engineering techniques used.
  • The credential theft payload.

Fake Live.com – update your mailbox phishing scam

00Featured news, Latest news, Malware, PhishingTags: ,

We see lots of phishing attempts for email credentials. This one is slightly different than many others. It pretends to be a message from Email Support to Update Your Mailbox. Of course these don’t come from Microsoft or Live.com but are spoofed to appear to come from them.

They use email addresses and subjects that will scare, persuade or  entice a user to read the email and follow the link. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.

The email looks like this:

From: Email Support <noreply@live.com>

Date: Mon 08/05/2017 02:58

Subject: E-mail Account Update

Body content:

Update Your Mailbox
Dear jeremiah@thespykiller.co.uk,

Within 24 hours, if you do not update your mailbox, your email will be disabled. Failure to update your e-mail account, It will be permanently terminated.
Update Your MailBox
Copyright ©  E-mail Support Service. 2017

email support phishing email

Email Headers:

IP Hostname City Region Country Organisation
69.130.7.126 mail.addonusa.com US AS4181 TDS TELECOM
212.175.129.33 212.175.129.33.static.ttnet.com.tr Ankara Ankara TR AS9121 Turk Telekomunikasyon Anonim Sirketi

Received: from mail.addonusa.com ([69.130.7.126]:53623)
by knight.knighthosting.co.uk with esmtp (Exim 4.89)
(envelope-from <noreply@live.com>)
id 1d7Xv1-0006IL-AO
for jeremiah@thespykiller.co.uk; Mon, 08 May 2017 02:57:03 +0100
Received: from live.com (unknown [212.175.129.33])
by mail.addonusa.com (Postfix) with ESMTPSA id 322F3C4921F
for <jeremiah@thespykiller.co.uk>; Sun,  7 May 2017 21:56:34 -0400 (EDT)
From: Email Support <noreply@live.com>
To: jeremiah@thespykiller.co.uk
Subject: E-mail Account Update
Date: 08 May 2017 04:57:31 +0300
Message-ID: <20170508045730.8E5AE27BEE5716AC@live.com>
MIME-Version: 1.0
Content-Type: text/html;
charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

If you follow the link inside the email  you see a webpage looking like this: hxxp://www.mir-holoda.by/pic/fanc/en-gb/?email=jeremiah@thespykiller.co.uk   ( where the email address the email was sent to is automatically inserted)

 

After you input your  password, you first get get told “checking details” then “incorrect details” and forwarded to an almost identical looking page where you can put it in again and each time it goes round the same saga.

We all get very blaze about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”.