New Ursnif Malware Campaign Uses Fileless Infection to Avoid Detection

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A new malware campaign spreading the Ursnif banking Trojan using PowerShell to achieve fileless persistence to hide from anti-malware solutions was detected by Cisco's Advanced Malware Protection (AMP) Exploit Prevention engine.

Ursnif, which is also known as Gozi ISFB, is an offspring of the original Gozi banking Trojan that got its source code leaked online during 2014 and on which a lot of other banking Trojan strains were built, such as GozNym.

Moreover, Ursnif is a continuously evolving Gozi variant which has been regularly been updated with new capabilities over the years.
 

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
Microsoft should take some steps to counter the abusive use of powershell and wscript by malware since they are massively on the rise. Home users typically do not need them and imo these should come disabled at least with the regular home versions of Windows 10.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Microsoft should take some steps to counter the abusive use of powershell and wscript by malware since they are massively on the rise. Home users typically do not need them and imo these should come disabled at least with the regular home versions of Windows 10.
(y)(y):giggle:

Anyway, this malware can be blocked by disabling macros in MS Office. WD (tweaked) can block it via ASR. It will be stopped too, when setting the PowerShell to Constrained Language mode, which is automatically done when using built-in Windows security features (SRP default-deny, Applocker, or Application Control). That can be also done via properly configured SysHardener.
The malware can also be blocked by the OSArmor setting:
'Block execution PowerShell encoded commands'.
 
Last edited:

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
(y)(y):giggle:

Anyway, this malware can be blocked by disabling macros in MS Office. WD (tweaked) can block it via ASR. It will be stopped too, when setting the PowerShell to Constrained Language mode, which is automatically done when using built-in Windows security features (SRP default-deny, Applocker, or Application Control). That can be also done via properly configured SysHardener.
The malware can also be blocked by the OSArmor setting:
'Block execution PowerShell encoded commands'.
Can AppGuard and VoodooShield block this malware?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Can you please help me to configure AppGuard to block these types of attacks? :notworthy:
I have the free edition of VoodooShield so I guess that it cannot be configured.
Add bitsadmin.exe and the Interpreters from C:\Windows folder (and subfolders) to the User Space:
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
Look at the AppGuard log, if those rules do not block something safe.
You should also block opening the shortcuts from the Download folder in all user profiles.(y)
 
Last edited:

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
T
Add bitsadmin.exe and the Interpreters from C:\Windows folder (and subfolders) to the User Space:
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
Look at the AppGuard log, if those rules do not block something safe.
You should also block opening the shortcuts from the Download folder in all user profiles.(y)
Thanks a lot sir for your help sir. :emoji_innocent:
 

yarr

Level 2
Verified
Jul 5, 2018
52
I'm afraid my families computer has been caught up by one of these. It was able to disable their antivirus and by the time I was there to help all kinds of weird stuff is happening. Any software I try to run side loads with a fake version of the tool. Someone also used remote control to make an admin account. I also found a bunch of suspicious dll on what looks like a partition they tried to hide. I honestly don't know where to start, the event log is full of audit logins and other suspicious activities. Their PCs are offline and this is still happening
 
  • Like
Reactions: bribon77
F

ForgottenSeer 69673

Add bitsadmin.exe and the Interpreters from C:\Windows folder (and subfolders) to the User Space:
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
Look at the AppGuard log, if those rules do not block something safe.
You should also block opening the shortcuts from the Download folder in all user profiles.(y)

Also make sure you untick powershell in guarded apps. Ans all those entries you make to to user space must be set to yes as a reminder(y)
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
I'm afraid my families computer has been caught up by one of these. It was able to disable their antivirus and by the time I was there to help all kinds of weird stuff is happening. Any software I try to run side loads with a fake version of the tool. Someone also used remote control to make an admin account. I also found a bunch of suspicious dll on what looks like a partition they tried to hide. I honestly don't know where to start, the event log is full of audit logins and other suspicious activities. Their PCs are offline and this is still happening
I hope they have backups? If not you could use a linux distro to copy documents etc. to a portable harddrive or USB stick.
Then reinstall Windows (preferably 10). Have a look at the advice of @Andy Ful in this thread to prevent this from happening again.
 

yarr

Level 2
Verified
Jul 5, 2018
52
I hope they have backups? If not you could use a linux distro to copy documents etc. to a portable harddrive or USB stick.
Then reinstall Windows (preferably 10). Have a look at the advice of @Andy Ful in this thread to prevent this from happening again.
Unfortunately not and it's still there after a format. I even used dban to nuke one of their HD so that could just be a flook it didn't work. I think it's some hidden partition or pxe, maybe in the RAM. I REALLY don't know at this point but thank you for the advice
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Unfortunately not and it's still there after a format. I even used dban to nuke one of their HD so that could just be a flook it didn't work. I think it's some hidden partition or pxe, maybe in the RAM. I REALLY don't know at this point but thank you for the advice
Okay, thanks. then I think you should take @upnorth s advice and post in Malware Removal Assistance For Windows Or buy a new computer.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
@yarr,
I agree, best is to post on

Did you do a full disk wipe or an individual partition wipe with dban? Apparently only a full disk erases Mbr.
Did you check the router?
What AV/tools did you try to start and were blocked?
 

yarr

Level 2
Verified
Jul 5, 2018
52
@yarr,
I agree, best is to post on

Did you do a full disk wipe or an individual partition wipe with dban? Apparently only a full disk erases Mbr.
Did you check the router?
What AV/tools did you try to start and were blocked?
I don't know how to check the router. The model is ASUS GT-AC5300. As for the format I just did the preset option, I've never used DBAN before. I was wrong about it being this virus but I at least know now it's "living off the land" type virus. There is definitely some form of windows that preboots. I just started reading an article Andy ful sent me so hopefully that leads me in the right direction. If you know anything of how to check my router could I PM you? I plan on posting to Malware Removal as well but the hands on part is important for me if I want to learn anything here. (I'm having to type from my phone right now because the eset firewall is going crazy, sorry if I worded anything odd. My autocorrect has a mind of its own)
 

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
Also make sure you untick powershell in guarded apps. Ans all those entries you make to to user space must be set to yes as a reminder(y)
Won't unticking powershell in guarded apps disable Appguard's protection for Powershell?
 
  • Like
Reactions: Weebarra

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top