The Ursnif trojan is one of the most prolific information stealing Trojans in the cybercrime landscape. Since its reappearance in early 2013, it has been constantly evolving. In 2015, its source code was leaked and made publicly available on Github, which led to further development of the code by different threat actors who improved it and added new features. Over the past few years, Japan has been among the top countries targeted by Ursnif’s operators.
The Cybereason research team observed a new campaign involving Ursnif in the beginning of 2019, attacking users in Japan across multiple customer environments. The team analyzed this newly discovered Ursnif variant, which comes with enhanced stealing modules focused on taking data from mail clients and email credentials stored in browsers.
The revamping and introduction of new mail stealer modules puts an emphasis on the risk that Trojans pose to enterprises if corporate accounts are compromised. With more and more banking customers shifting to mobile banking and the continuous hardening of financial systems, it is not surprising that trojans are beginning to focus more than ever before on harvesting other types of data that can also be monetized and exploited by the threat actors, including mail accounts, contents of email inboxes, and digital wallets.
Join the SOC Talks to learn about how to detect malicious activity, hunt successfully in your environment, and respond proactively to damage.
This attack begins with a weaponized Microsoft Office document attached to a phishing email. When a user opens the document, it executes embedded code that runs PowerShell commands. These PowerShell commands check to confirm that the target machine is located in Japan through multiple methods, including VBA country checks, language checks, and geo-IP location checks.
Interestingly, these language checks serve two purposes: both confirming the attack is targeting a Japanese user, and as a means of avoiding hazardous environments like virtual machines. Since most virtual machines run with the English language as default, a check that the language on the machine is Japanese is another indicator that the target is a legitimate environment.
Once it has confirmed the target machine is located in Japan, it downloads an image file. Embedded in the image is encrypted PowerShell code that, once decrypted, injects Bebloh into memory. From there, Bebloh (commonly seen as a trojan, but in this case used as a sophisticated downloader) downloads the Ursnif loader payload from the remote command and control server. The loader runs several tests to ensure it is not in a hostile environment, then injects Ursnif into the main explorer.exe process.
Ursnif uses a mechanism that creates its persistence at the last moment before the system shuts down. It collects information from the target machine using several different methods, including new mail stealing modules for Microsoft Outlook, Internet Explorer, and Mozilla Thunderbird.
This variant of Ursnif evades security products with an Anti-PhishWall module and Anti-Rapport module. Anti-Phishwall evades the Japanese security product PhishWall, and Anti-Rapport evades the endpoint protection product Rapport from IBM Trusteer.
Lastly, this variant has demonstrated two interesting capabilities: it attempts to steal cryptocurrency from a user’s wallet, and it checks and attempts to steal encryption keys from disk encryption software. The latter is fairly unique, and is used to decrypt any data that might otherwise be unavailable to Ursnif.
Aside from the financial harm that can happen due to the theft of cryptocurrency, there’s a real danger in this variant’s new capabilities around email credential theft.
Email credentials can give an attacker access to user bank accounts, sensitive email correspondence, personal data, and more. This can have considerable consequences for the individual and business. Information stored on an employee laptop could include company R&D, company financial information, trade secrets, and other data the company does not want public.
Additionally, it could steal personal data, financial data, or personal messages about the individual. This can result in loss of money, damage to business and individual reputation, or loss of customer trust. Furthermore, the malware is able to unencrypt user data by stealing disk encryption software keys on the user’s machine, possibly gaining access to even more sensitive information.
The rise of highly localized malware, akin to some seen in our previous research, shows how attackers are becoming more daring and calculated with their approach. This malware runs several checks to ensure targets are located in Japan, and then exploits that fact to ensure maximum effect.
Traditional malware, like banking trojans, are always looking for the “path of least resistance”, to try and ensure the highest ROI for their effort. With the rise of mobile banking and the hardening of financial systems, attackers may find online banks a less attractive target. More banking trojans are now developing new capabilities beyond banking-targeted man-in-the-middle attacks like the one seen in this research.
This variant is outfitted with enhanced stealing modules that focus on gathering data from cryptocurrency wallets and stealing data from mail clients. While stealing email data is not a new premise, the introduction of mail stealing modules in this Trojan emphasizes the risk Trojans can pose to enterprises when corporate accounts are compromised.
It is interesting to see this variant attempting to steal encrypted data, which further demonstrates how attackers quickly, and continually evolve in response to more difficult targets.
This is yet another instance where an attack originates from a phishing campaign. The opportunity for phishing to result in a wide-spread, damaging attack is ever-present. Until we find a way to prevent human manipulation in phishing attacks, this will continue to be an effective attack vector.
This variant of the Ursnif Trojan was found in multiple customer environments. The Cybereason team was able to immediately detect the Trojan and the customer was able to remediate the issue. However, this may indicate that the attack is relatively wide-spread. We recommend reading the full research to learn more about the threat.