LASER_oneXM

Level 33
Verified
A new malware campaign spreading the Ursnif banking Trojan using PowerShell to achieve fileless persistence to hide from anti-malware solutions was detected by Cisco's Advanced Malware Protection (AMP) Exploit Prevention engine.

Ursnif, which is also known as Gozi ISFB, is an offspring of the original Gozi banking Trojan that got its source code leaked online during 2014 and on which a lot of other banking Trojan strains were built, such as GozNym.

Moreover, Ursnif is a continuously evolving Gozi variant which has been regularly been updated with new capabilities over the years.
 

Wraith

Level 13
Verified
Malware Tester
Microsoft should take some steps to counter the abusive use of powershell and wscript by malware since they are massively on the rise. Home users typically do not need them and imo these should come disabled at least with the regular home versions of Windows 10.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Microsoft should take some steps to counter the abusive use of powershell and wscript by malware since they are massively on the rise. Home users typically do not need them and imo these should come disabled at least with the regular home versions of Windows 10.
(y)(y):giggle:

Anyway, this malware can be blocked by disabling macros in MS Office. WD (tweaked) can block it via ASR. It will be stopped too, when setting the PowerShell to Constrained Language mode, which is automatically done when using built-in Windows security features (SRP default-deny, Applocker, or Application Control). That can be also done via properly configured SysHardener.
The malware can also be blocked by the OSArmor setting:
'Block execution PowerShell encoded commands'.
 
Last edited:

Wraith

Level 13
Verified
Malware Tester
(y)(y):giggle:

Anyway, this malware can be blocked by disabling macros in MS Office. WD (tweaked) can block it via ASR. It will be stopped too, when setting the PowerShell to Constrained Language mode, which is automatically done when using built-in Windows security features (SRP default-deny, Applocker, or Application Control). That can be also done via properly configured SysHardener.
The malware can also be blocked by the OSArmor setting:
'Block execution PowerShell encoded commands'.
Can AppGuard and VoodooShield block this malware?
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Can you please help me to configure AppGuard to block these types of attacks? :notworthy:
I have the free edition of VoodooShield so I guess that it cannot be configured.
Add bitsadmin.exe and the Interpreters from C:\Windows folder (and subfolders) to the User Space:
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
Look at the AppGuard log, if those rules do not block something safe.
You should also block opening the shortcuts from the Download folder in all user profiles.(y)
 
Last edited:

Wraith

Level 13
Verified
Malware Tester
T
Add bitsadmin.exe and the Interpreters from C:\Windows folder (and subfolders) to the User Space:
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
Look at the AppGuard log, if those rules do not block something safe.
You should also block opening the shortcuts from the Download folder in all user profiles.(y)
Thanks a lot sir for your help sir. :emoji_innocent:
 

yarr

Level 2
I'm afraid my families computer has been caught up by one of these. It was able to disable their antivirus and by the time I was there to help all kinds of weird stuff is happening. Any software I try to run side loads with a fake version of the tool. Someone also used remote control to make an admin account. I also found a bunch of suspicious dll on what looks like a partition they tried to hide. I honestly don't know where to start, the event log is full of audit logins and other suspicious activities. Their PCs are offline and this is still happening
 
  • Like
Reactions: bribon77

ticklemefeet

Level 22
Verified
Add bitsadmin.exe and the Interpreters from C:\Windows folder (and subfolders) to the User Space:
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
Look at the AppGuard log, if those rules do not block something safe.
You should also block opening the shortcuts from the Download folder in all user profiles.(y)
Also make sure you untick powershell in guarded apps. Ans all those entries you make to to user space must be set to yes as a reminder(y)
 

Gandalf_The_Grey

Level 21
Verified
I'm afraid my families computer has been caught up by one of these. It was able to disable their antivirus and by the time I was there to help all kinds of weird stuff is happening. Any software I try to run side loads with a fake version of the tool. Someone also used remote control to make an admin account. I also found a bunch of suspicious dll on what looks like a partition they tried to hide. I honestly don't know where to start, the event log is full of audit logins and other suspicious activities. Their PCs are offline and this is still happening
I hope they have backups? If not you could use a linux distro to copy documents etc. to a portable harddrive or USB stick.
Then reinstall Windows (preferably 10). Have a look at the advice of @Andy Ful in this thread to prevent this from happening again.
 

yarr

Level 2
I hope they have backups? If not you could use a linux distro to copy documents etc. to a portable harddrive or USB stick.
Then reinstall Windows (preferably 10). Have a look at the advice of @Andy Ful in this thread to prevent this from happening again.
Unfortunately not and it's still there after a format. I even used dban to nuke one of their HD so that could just be a flook it didn't work. I think it's some hidden partition or pxe, maybe in the RAM. I REALLY don't know at this point but thank you for the advice
 

Gandalf_The_Grey

Level 21
Verified
Unfortunately not and it's still there after a format. I even used dban to nuke one of their HD so that could just be a flook it didn't work. I think it's some hidden partition or pxe, maybe in the RAM. I REALLY don't know at this point but thank you for the advice
Okay, thanks. then I think you should take @upnorth s advice and post in Malware Removal Assistance For Windows Or buy a new computer.
 

Solarquest

Level 33
Verified
Staff member
Malware Hunter
@yarr,
I agree, best is to post on

Did you do a full disk wipe or an individual partition wipe with dban? Apparently only a full disk erases Mbr.
Did you check the router?
What AV/tools did you try to start and were blocked?
 

yarr

Level 2
@yarr,
I agree, best is to post on

Did you do a full disk wipe or an individual partition wipe with dban? Apparently only a full disk erases Mbr.
Did you check the router?
What AV/tools did you try to start and were blocked?
I don't know how to check the router. The model is ASUS GT-AC5300. As for the format I just did the preset option, I've never used DBAN before. I was wrong about it being this virus but I at least know now it's "living off the land" type virus. There is definitely some form of windows that preboots. I just started reading an article Andy ful sent me so hopefully that leads me in the right direction. If you know anything of how to check my router could I PM you? I plan on posting to Malware Removal as well but the hands on part is important for me if I want to learn anything here. (I'm having to type from my phone right now because the eset firewall is going crazy, sorry if I worded anything odd. My autocorrect has a mind of its own)