Research by: Assaf Dahan
In the past 24 hours, Cybereason Labs has detected a new wave of phishing emails targeting Japanese users. The phishing emails appear to come from Japan’s Post Service. In reality, attackers crafted these emails and are using them to distribute malicious Word documents that infect users with the Ursnif banking Trojan, which is also known as Gozi.
While reports about this campaign have appeared in the Japanese media in the past week, we’ve come across payloads and techniques that are slightly different from what’s already been reported. We also noticed that the initial infection payloads went completely undetected by the antivirus vendors on VirusTotal.
In this blog post, we’ll provide a step-by-step analysis of the malware distribution and infection phases as well as how it is detected by Cybereason.
Phase 1: The phishing email
The email, masquerading as a legitimate message about a package, states:
“We tried to reach you on the phone about Order #XXXXXXX but there seems to be an issue with the provided number. Please print the attached document and reach out to the nearest post office.”
The email supposedly from Japan’s Post Service.
Phase 2: Malicious Word document
The phishing emails contain a malicious Word document, weaponized with a JSE (JScript Encoded Script) file. The malicious JSE file serves as a downloader that fetches the initial Ursnif binary from the download server.
Following is a screenshot of the Word document retrieved from one of our customer’s endpoints:
Doc name: 日本郵便追跡サービス_[RANDOM-NUMBER].docx
The Word document retrieved from one of our customer’s endpoints.
We extracted the .JSE file, which is heavily obfuscated:
At the time of the infection, neither the Word file nor the JSE script were detected by any of the antivirus vendors on VirusTotal:
Malicious Word document
Malicious Downloader JSE script
It is interesting to see the ongoing trend of avoiding using Macro-based downloaders, and favoring more obscure script types, such as JSE (known to be used by many ransomware). Since Office Macros became one of the most popular infection methods, they are monitored more closely by security products and are relatively easy to detect by mail filtering solutions and antivirus solutions.
Cybereason downloader detection
Cybereason detects malicious downloaders based on their behavior, allowing us to catch these payloads even when they were not detected by any antivirus vendor.
Cybereason’s behavior-based detection
Phase 3: Fetching the Ursnif binary
The downloader script attempts to fetch the Trojan’s binary from the distribution server and write it to %TEMP% folder: Majorka.exe (SHA-1: 5ca7d2902054f0272f01252b4b5f4163521fd86c)
Checking out the scene
The downloaded binary will first run a series of checks to make sure that the malware is not being analyzed by security researchers, including ensuring that it’s not running in a virtual machine. To do that, the binary will try to detect virtualization products by looking for specific strings such as: VBox, Qemu, Vmware and Virtual HD , as shown below:
In addition, Ursnif will also collect initial system information, such as:
- System time
- OS version
- User and machine name
- Mapped drives
Persistence via Registry autoruns
Once the checks are completed, the dropper will unpack a secondary binary (SHA-1:CA2CC7A954D989AD653559FCE6A7D1CF125282E2) to a newly created folder located in %APPDATA%. It will then create a registry autorun key in order to achieve persistence:
Once this stage is complete, the original downloaded file will be deleted from disk using a batch file that was previously written to %TEMP% folder:
Main payload file names: avicbrkr.exe, adprtext.exe
Phase 4: Hiding and establishing C&C connection
The Trojan will attempt to hide inside a host process before engaging in its malicious activity or even attempting to connect to its command and control (C&C) server. By default, Ursnif will try to inject its core payload to explorer.exe. However, in case it fails, it will spawn an instance of svchost.exe and inject its code there. Ursnif uses quite a few process injection techniques to hide in the system and load additional modules, similarly to what is seen in Gozi-ISFB’s source code, found on Github:
Cybereason can detect these code injection techniques used by Ursnif, as seen below:
Checking Internet connectivity
The connectivity checks are quite extensive and done both via explorer.exe and also by using nslookup.exe. The Trojan was observed communicating with the following Internet services:
126.96.36.199.in-addr.arpa, curlmyip.net, resolver1.opendns.com, myip.opendns.com
Once Internet connectivity is verified and external IP is obtained, Ursnif will communicate with its C&C servers, fetch configuration and commence malicious activity.
The following screenshot represents the initial connection to the C&C server, where the malware sends user and computer data to its operators. The data is XOR’ed and then base64 encoded and passed as part of the URL, which is meant to look like an image file (jpeg) is requested from the server:
Once Ursnif runs on the machine it will attempt to obtain sensitive data, especially banking and financial information, by using various modules such as:
- Keylogger (to record users’ keystrokes)
- Video and screen capturing
- Information stealer (Browser passwords, browser history, email, client’s credentials)
- Man-in-the-browser and Web injects (Banks, PayPal - configuration dependant)
- Tor client
- VNC client (remote administration)
Detailed information about the Trojan’s various modules and capabilities can be found on GitHub .
Indicators of compromise
Attacker’s email: 日本郵便追跡サービス <magicmunke@mail[.]com>
Unpacked SHA-1: 88CEBD40E9D70A40152CACC5E181B09A03A766C3
Unpacked payload: BB8BB880A9DF115D1F853E6BB494FDEDD6C0FEB8
sil[.]company > 188.8.131.52
Zhangtianli[.]com > 184.108.40.206
buildindustryastana[.]com > 220.127.116.11
[REDACTED].JP - Compromised legitimate Japanese domain