Ursnif has a history of clever tricks
We're used to these clever tricks from Ursnif. This banking trojan has been a breeding ground for new malware techniques.
For example,
in the summer of 2016, Ursnif was one of the first banking trojans and malware families to consistently use the Tor network to hide its command and control (C&C) servers.
During the same summer, we've also seen Ursnif test and deploy other innovative anti-detection and VM-evasion techniques.
---------------------------------------------------------------------------------------------------------------
Checking file names - Files submitted to analysis are usually renamed to their MD5 or SHA256 hash, using only hexadecimal characters (0123456789ABCDEFabcdef). If Ursnif found local files containing alphanumeric characters such as "t," "R," or "#," then it knew it was running on a regular PC.
Checking local PC for apps with graphical interfaces - VMs run a small number of processes and especially very few processes with a graphical interface. If the Ursnif sample found less than 50 processes, it stopped execution, thinking it was inside a virtual machine (VM).
Check the user's IP address - Ursnif would get the computer's IP address and compare it to a list of IPs assigned to security companies or data centers (where researchers rent their VMs).
Check for recently opened files - Ursnif would check the number of recently opened files. Usually on VMs, this number is small, as there is no user utilizing the system for regular tasks.
--------------------------------------------------------------------------------------------------------------
