A recent malicious campaign leverages a deceptive LNK file disguised as a PDF within a ZIP archive. When executed, the LNK file triggers a series of actions: it uses certutil.exe to decode a malicious HTA file, which is then launched by mshta.exe.
The HTA file, while displaying a PDF lure, drops a malicious DLL that serves as a loader, which decrypts and executes shellcode, which in turn loads the final payload, the infamous Ursnif banking trojan connecting to C&C servers to steal sensitive information from the compromised system.
An attack begins with a disguised LNK file, which, when opened, triggers a chain of events. It decodes and executes a malicious HTA file, which fetches additional malicious content from a remote server, including a lure PDF document to distract the user and a malicious DLL.
The HTA file disables Windows Defender, saves the malicious DLL, pads it with empty space, and registers it as a system component using regsvr32, potentially allowing for persistent and stealthy malicious activity.
The Loader DLL accesses an encrypted resource named “FAMILY” within the executable, which decrypts this resource using a hardcoded key, revealing two encrypted payloads, where the first is shellcode that maps a second PE file into memory.
While the second is a DLL that acts as a loader for the core Ursnif module and connects to a C&C server, downloads additional modules, and steals sensitive information from the infected machine.
The shellcode employs a unique technique to dynamically resolve crucial Windows APIs, which computes checksums of hardcoded API names and compares them against calculated checksums of exported functions in loaded DLLs.
Once matched, it uses the resolved APIs to allocate memory, copy the decrypted malicious DLL, modify memory protection, and add a dynamic function table. Finally, it executes the DLL’s `DllRegisterServer` function to initiate further malicious actions.
The second-stage DLL embeds the core malware component, which is decrypted and executed to retrieve encrypted configuration data, including C&C server details and communication protocols, from the .bss section.
After decryption, it calculates a system-specific checksum and creates a mutex to ensure single-instance execution. A new thread is spawned to handle C&C communication, enabling the malware to establish contact with its command-and-control infrastructure.
The malware builds a custom data structure containing the victim’s username checksum, bot ID, system information checksum, and file details (checksum, architecture, size).
It prepends a random string and encrypts the structure using AES before converting it to BASE64. Finally, it communicates with the C&C server “budalixt.top/index.html” using a predefined boundary string and an outdated User-Agent.
According to CRIL, the C&C server response, expected to deliver additional malware, couldn’t be retrieved due to server downtime, hindering further analysis of the attack chain.
The Ursnif malware campaign leverages advanced techniques like dynamic API resolution and encrypted payloads to evade detection and establish stealthy C&C communication.
It exploits legitimate tools like regsvr32, certutil, and mshta to execute malicious code. To mitigate risks, organizations should implement robust email filtering, EDR solutions, and least privilege policies.
While monitoring the activities of certutil and mshta and employing behavior-based detection systems can help identify and thwart these sophisticated attacks.