Summary:
The Ursnif malware campaign targets business professionals in the U.S. using a sophisticated multi-stage infection method. It begins with a malicious LNK file disguised as a PDF, which executes a series of payloads leading to the deployment of Ursnif, a banking trojan. This campaign highlights the advanced techniques employed by cybercriminals to evade detection and steal sensitive information.
#Ursnif #MaliciousCampaign #BusinessTarget
The Ursnif malware campaign targets business professionals in the U.S. using a sophisticated multi-stage infection method. It begins with a malicious LNK file disguised as a PDF, which executes a series of payloads leading to the deployment of Ursnif, a banking trojan. This campaign highlights the advanced techniques employed by cybercriminals to evade detection and steal sensitive information.
#Ursnif #MaliciousCampaign #BusinessTarget
Keypoints:
- Cyble Research and Intelligence Labs identified a malicious campaign likely targeting business professionals in the U.S.
- The campaign uses a malicious LNK file disguised as a PDF, delivered via ZIP archives, potentially through spam emails.
- The LNK file executes certutil.exe to decode and execute a malicious HTA file.
- The HTA file contains VBScript that extracts and executes a lure document and a malicious DLL file.
- The DLL acts as a loader, decrypting subsequent payloads and executing the Ursnif core component.
- The Ursnif malware establishes a connection with a C&C server to download additional modules for stealing sensitive information.
- The campaign employs advanced techniques to evade detection, including dynamic API resolution and encrypted payloads.
- Recommendations include exercising caution with email attachments and implementing advanced email filtering solutions.
MITRE Techniques:
- Phishing (T1566): Campaign likely reaches users through spam emails.
- Command and Scripting Interpreter: Windows Command Shell (T1059.003): Executes certutil.exe to decode the next stage payloads.
- Masquerading: Masquerade File Type (T1036.003): The .lnk file is named to appear as a PDF file to deceive users.
- System Binary Proxy Execution: Mshta (T1218.005): Abuse mshta.exe to proxy execution of the malicious HTA file.
- Deobfuscate/Decode Files or Information (T1140): Deobfuscates/decodes files or information.
- Application Layer Protocol: Web Protocols (T1071.001): Sends HTTP POST requests to communicate with its C&C server.
- Exfiltration Over C2 Channel (T1041): System information and potentially other data are exfiltrated over the established C&C channel.
IoC:
- [SHA-256] fdc240fb8f4a17e6a2b0d26635d8ab613db89135a5d95834c5a888423d2b1c82 – Zip File
- [SHA-256] dd20336df4d95a3da83bcf7ef7dd5d5c89157a41b6db786c1401bf8e8009c8f2 – Malicious LNK file
- [SHA-256] 13560a1661d2efa15e58e358f2cdefbacf2537cad493b7d090b5c284e9e58f78 – HTA file
- [URL] hxxps://docusign-staples[.]com/api/key – Remote server
- [SHA-256] aea3ffc86ca8e1f9c4f9f45cf337165c7d0593d4643ed9e489efdf4941a8c495 – DLL file
- [URL] budalixt[.]top/index.html – C&C
- [SHA-256] 11a16f65bc93892eb674e05389f126eb10b8f5502998aa24b5c1984b415f9d18 – Similar LNK file
- [SHA-256] 468d7a8c161cb7408037797ea682f4be157be922c5f10a812c6c5932b4553c85 – Similar ZIP file
Full Research: https://cyble.com/blog/ursnif-trojan-hides-with-stealthy-tactics/