Business Pros Targeted by Ursnif Banking Malware Attack

A recent malicious campaign leverages a deceptive LNK file disguised as a PDF within a ZIP archive. When executed, the LNK file triggers a series of actions: it uses certutil.exe to decode a malicious HTA file, which is then launched by mshta.exe. 

The HTA file, while displaying a PDF lure, drops a malicious DLL that serves as a loader, which decrypts and executes shellcode, which in turn loads the final payload, the infamous Ursnif banking trojan connecting to C&C servers to steal sensitive information from the compromised system.

 Infection chain

An attack begins with a disguised LNK file, which, when opened, triggers a chain of events. It decodes and executes a malicious HTA file, which fetches additional malicious content from a remote server, including a lure PDF document to distract the user and a malicious DLL. 

The HTA file disables Windows Defender, saves the malicious DLL, pads it with empty space, and registers it as a system component using regsvr32, potentially allowing for persistent and stealthy malicious activity. 

 Partial content of LNK file

The Loader DLL accesses an encrypted resource named “FAMILY” within the executable, which decrypts this resource using a hardcoded key, revealing two encrypted payloads, where the first is shellcode that maps a second PE file into memory. 

While the second is a DLL that acts as a loader for the core Ursnif module and connects to a C&C server, downloads additional modules, and steals sensitive information from the infected machine. 

Decryption Loop

The shellcode employs a unique technique to dynamically resolve crucial Windows APIs, which computes checksums of hardcoded API names and compares them against calculated checksums of exported functions in loaded DLLs. 

Once matched, it uses the resolved APIs to allocate memory, copy the decrypted malicious DLL, modify memory protection, and add a dynamic function table. Finally, it executes the DLL’s `DllRegisterServer` function to initiate further malicious actions.

Hardcoded API Names

The second-stage DLL embeds the core malware component, which is decrypted and executed to retrieve encrypted configuration data, including C&C server details and communication protocols, from the .bss section. 

After decryption, it calculates a system-specific checksum and creates a mutex to ensure single-instance execution. A new thread is spawned to handle C&C communication, enabling the malware to establish contact with its command-and-control infrastructure.

The malware builds a custom data structure containing the victim’s username checksum, bot ID, system information checksum, and file details (checksum, architecture, size). 

 C&C communication

It prepends a random string and encrypts the structure using AES before converting it to BASE64. Finally, it communicates with the C&C server “budalixt.top/index.html” using a predefined boundary string and an outdated User-Agent. 

According to CRIL, the C&C server response, expected to deliver additional malware, couldn’t be retrieved due to server downtime, hindering further analysis of the attack chain. 

The Ursnif malware campaign leverages advanced techniques like dynamic API resolution and encrypted payloads to evade detection and establish stealthy C&C communication. 

It exploits legitimate tools like regsvr32, certutil, and mshta to execute malicious code. To mitigate risks, organizations should implement robust email filtering, EDR solutions, and least privilege policies. 

While monitoring the activities of certutil and mshta and employing behavior-based detection systems can help identify and thwart these sophisticated attacks.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here