The Trojan Ursnif (also known as Gozi) is getting increasingly sophisticated, researchers at security company Bromium say, with their latest analysis showing the malware changing its delivery infrastructure as rapidly as every 12 hours, making it exceptionally hard for perimeter security controls that rely on a traditional detection-based techniques little time to block the download of the malware.
The credential-stealing Trojan is, alongside Emotet, one of the most pervasive and effective malware families. (Italian security firm Yoroi describes it as a “fork of the original Gozi-ISFB banking Trojan” the source code of which leaked in 2014.
Ursnif use weaponised Microsoft Office documents with a VBA macro embedded that act as a dropper, and multi-stage, highly obfuscated powershell scripts in order to hide the real payload. Ursnif also uses steganography to hide the malicious code.
Ursnif Evading “Malicious” Domain Classification by Moving Domains in Less than 12 Hours
The the report by Bromium says Ursnif’s operators are increasingly linking different techniques together to “effectively socially engineer targets, evade perimeter detection and bypass one of Windows Defender’s attack surface reduction rules” while using a rapidly shifting delivery infrastructure to evade detection.
The shift to a rapidly changing delivery infrastructure stands out: “Our research found that the average time from the registration of a domain used to host Ursnif executables to when a user first runs the corresponding Word dropper is less than 12 hours.”
Bromium noted: “The speed at which Ursnif’s operators can change its infrastructure gives web proxies and other perimeter security controls that rely on a traditional detection-based techniques little time to block the download of the malware. ”
“In one example, only one domain reputation service had classified the Ursnif delivery domain as malicious at the time when the Word dropper was run.”
The latest sample analysed by Bromium contains an obfuscated VBA AutoOpen macro, which runs each time the document is opened. The document uses the common trick of requesting the user to enable macros, if they are not already enabled.
“The macro runs a Base64 encoded PowerShell command using the Win32_Process and Win32_ProcessStartup WMI classes. The resulting PowerShell instance is run as a child process of WmiPrvSe.exe (WMI Provider Host). This benefits the adversary by defeating detection techniques that rely on parent-child process relationships because the parent process ID of the Ursnif executable will be the process ID of WmiPrvSe.exe.”
“In our testing on Windows 10 Enterprise 1809, we found that this technique is effective at bypassing the Windows Defender attack surface reduction rule that blocks Office applications from creating child processes. In some of the samples, this was used in conjunction with a COM technique that also spoofed the parent process ID of the Ursnif process”, Bromium’s Alex Holland wrote.
(The company noted that endpoints that are running Bromium Secure Platform are protected from this threat because each user task, such as opening an Office document or clicking a malicious link, is run in its own isolated micro-virtual machine.)