Notable Elements of the Attack
- This new variant of the Ursnif Trojan attempts to steal cryptocurrency directly from the users’ digital wallet, possibly due to the hardening of banking website security.
- The malware’s use of language checks works as both a means of localization and a clever method of avoiding sandboxes and virtual machines.
- The Trojan looks for disk encryption software and attempts to extract keys in order to unencrypt files that the user may have tried to hide.
- This variant improves significantly on previous revisions with a new persistence mechanism, new stealing modules, and new cryptocurrency stealing modules.
- This variant further hides its execution by masquerading its main payload as a friendly image downloaded from a popular image site.
- This variant of Ursnif is highly localized to the Japanese market. It specifically checks location, language, and other settings to confirm the device is located in Japan. It is designed to circumvent PhishWall and Rapport, two security software products commonly used in Japan.
A New Variant of an Old Threat
The Ursnif trojan is one of the most prolific information stealing Trojans in the cybercrime landscape. Since its reappearance in early 2013, it has been constantly evolving. In 2015, its source code was leaked and made publicly available on Github, which led to further development of the code by different threat actors who improved it and added new features. Over the past few years, Japan has been among the top countries targeted by Ursnif’s operators.
The Cybereason research team observed a new campaign involving Ursnif in the beginning of 2019, attacking users in Japan across multiple customer environments. The team analyzed this newly discovered Ursnif variant, which comes with enhanced stealing modules focused on taking data from mail clients and email credentials stored in browsers.
The revamping and introduction of new mail stealer modules puts an emphasis on the risk that Trojans pose to enterprises if corporate accounts are compromised. With more and more banking customers shifting to mobile banking and the continuous hardening of financial systems, it is not surprising that trojans are beginning to focus more than ever before on harvesting other types of data that can also be monetized and exploited by the threat actors, including mail accounts, contents of email inboxes, and digital wallets.
Differences in the new Ursnif implementation:
- A new and improved persistence mechanism.
- New, updated information stealing modules, including ones to steal from cryptocurrency wallets and disk encryption software.
- An Anti-PhishWall module to counteract a Japanese security product.
Differences in the new Bebloh implementation:
- Modified code that confirms Japanese settings on the target machine.
- PowerShell commands that confirm Japanese language settings on the target machine.
- IP geolocation checks to confirm the target machine is located in Japan.
Join the SOC Talks to learn about how to detect malicious activity, hunt successfully in your environment, and respond proactively to damage.
Analyzing the Ursnif Trojan Attack
This attack begins with a weaponized Microsoft Office document attached to a phishing email. When a user opens the document, it executes embedded code that runs PowerShell commands. These PowerShell commands check to confirm that the target machine is located in Japan through multiple methods, including VBA country checks, language checks, and geo-IP location checks.
Interestingly, these language checks serve two purposes: both confirming the attack is targeting a Japanese user, and as a means of avoiding hazardous environments like virtual machines. Since most virtual machines run with the English language as default, a check that the language on the machine is Japanese is another indicator that the target is a legitimate environment.
Once it has confirmed the target machine is located in Japan, it downloads an image file. Embedded in the image is encrypted PowerShell code that, once decrypted, injects Bebloh into memory. From there, Bebloh (commonly seen as a trojan, but in this case used as a sophisticated downloader) downloads the Ursnif loader payload from the remote command and control server. The loader runs several tests to ensure it is not in a hostile environment, then injects Ursnif into the main explorer.exe process.
Ursnif uses a mechanism that creates its persistence at the last moment before the system shuts down. It collects information from the target machine using several different methods, including new mail stealing modules for Microsoft Outlook, Internet Explorer, and Mozilla Thunderbird.
This variant of Ursnif evades security products with an Anti-PhishWall module and Anti-Rapport module. Anti-Phishwall evades the Japanese security product PhishWall, and Anti-Rapport evades the endpoint protection product Rapport from IBM Trusteer.
Lastly, this variant has demonstrated two interesting capabilities: it attempts to steal cryptocurrency from a user’s wallet, and it checks and attempts to steal encryption keys from disk encryption software. The latter is fairly unique, and is used to decrypt any data that might otherwise be unavailable to Ursnif.
Consequences of the Ursnif Trojan for Individuals and Companies
Aside from the financial harm that can happen due to the theft of cryptocurrency, there’s a real danger in this variant’s new capabilities around email credential theft.
Email credentials can give an attacker access to user bank accounts, sensitive email correspondence, personal data, and more. This can have considerable consequences for the individual and business. Information stored on an employee laptop could include company R&D, company financial information, trade secrets, and other data the company does not want public.
Additionally, it could steal personal data, financial data, or personal messages about the individual. This can result in loss of money, damage to business and individual reputation, or loss of customer trust. Furthermore, the malware is able to unencrypt user data by stealing disk encryption software keys on the user’s machine, possibly gaining access to even more sensitive information.
The rise of highly localized malware, akin to some seen in our previous research, shows how attackers are becoming more daring and calculated with their approach. This malware runs several checks to ensure targets are located in Japan, and then exploits that fact to ensure maximum effect.
Traditional malware, like banking trojans, are always looking for the “path of least resistance”, to try and ensure the highest ROI for their effort. With the rise of mobile banking and the hardening of financial systems, attackers may find online banks a less attractive target. More banking trojans are now developing new capabilities beyond banking-targeted man-in-the-middle attacks like the one seen in this research.
This variant is outfitted with enhanced stealing modules that focus on gathering data from cryptocurrency wallets and stealing data from mail clients. While stealing email data is not a new premise, the introduction of mail stealing modules in this Trojan emphasizes the risk Trojans can pose to enterprises when corporate accounts are compromised.
It is interesting to see this variant attempting to steal encrypted data, which further demonstrates how attackers quickly, and continually evolve in response to more difficult targets.
This is yet another instance where an attack originates from a phishing campaign. The opportunity for phishing to result in a wide-spread, damaging attack is ever-present. Until we find a way to prevent human manipulation in phishing attacks, this will continue to be an effective attack vector.
This variant of the Ursnif Trojan was found in multiple customer environments. The Cybereason team was able to immediately detect the Trojan and the customer was able to remediate the issue. However, this may indicate that the attack is relatively wide-spread. We recommend reading the full research to learn more about the threat.