Ursnif Trojan Adopts New Code Injection Technique

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Hackers are testing a new variation of the Ursnif Trojan aimed at Australian bank customers that utilizes novel code injection techniques.

Since the summer of 2017, IBM X-Force researchers report that Ursnif (or Gozi) samples have been tested in wild by a new malware developer. The samples are a noteworthy upgrade from previous versions.

“This finding is significant because it suggests that a new group has joined the cybercrime arena and is specifically operating in Australia, where malware gangs such as TrickBot and Dridex already have a firm foothold,” wrote Limor Kessem, executive security adviser with IBM Security in a technical analysis of the Ursnif Trojan sample.

Most notable to this variant are modifications to the code injection techniques and attack strategies, Kessem said.
“In a redirection attack, the victim is diverted to a fake website hosted on an attacker-controlled server. The malware maintains a live connection with the bank’s legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim’s address bar. At that point, the malicious actors can use web injections to steal login credentials, authentication codes and other personally identifiable information without tripping the bank’s fraud detection mechanisms,” she wrote.

Separately, researchers at FireEye noted, in research posted last week, they also have been tracking the same new Ursnif variant.

FireEye also noted the variant’s novel use of a malicious Transport Layer Security (TLS) callback techniques to achieve process injection.

“We recently came across a Ursnif/Gozi-ISFB sample that manipulated TLS callbacks while injecting to child process. Though many of the malware binaries (or their packers) use some variation of GetThreadContext/SetThreadContext or CreateRemoteThread Windows API functions to change the entry point of the remote process during injection, this sample (and the related cluster) is using a relatively lesser-known stealth technique,” wrote Abhay Vaish and Sandor Nemes with FireEye’s Threat Research team.

For years, Ursnif has targeted Japan along with North America, Europe and Australia. Ursnif is a widespread threat that was discovered in 2007. Original targets were online banking wire systems in English-speaking countries. That changed in 2010, when source code for the Trojan was accidentally leaked. That lead to the development of Ursnif v2 that adopted web-injection techniques and also leverages a hidden virtual network computing feature.

In its recent campaigns targeting Australian bank customers, Ursnif has been using malspam to reach its victims. That has included emails with fake supply orders that lure recipients to follow links to electrically sign and review documents.



“After clicking on the “REVIEW DOCUMENT” button, the malware downloads a ZIP file named YourMYOBSupply_Order.zip,” FireEye describes. “The ZIP file contains a malicious JavaScript file that, when executed, will download and execute the Ursnif/Gozi-ISFB payload.”

Both FireEye and X-Force said that this latest sample indicates a more sophisticated malware author has improved the v3 Ursnif code to be stealthier and evade malware signature detection.

Between 2016 through 2017, X-Force said Ursnif (or Gozi) has been a top player when it comes to code evolution and attack volumes.

In October, attackers behind Ursnif made Japan one of their top targets. In those campaigns, authors behind Ursnif didn’t just target banks, but also credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites.
 
D

Deleted member 65228

Web Injects has been around for years, and the remote thread creation/thread hijacking techniques mentioned in the report have been known for so many years (10+)!

Web Injects is very similar to form-grabbing however the difference is that it intercepts after the SSL requests have been performed, as opposed to a form-grabber which will intercept before the web requests have been completed. It is performed after malicious code is executing under the context of the target browser process(es), where this malicious code will redirect execution to various SSL routines by either byte-patching the instructions in memory for the target routines, or byte-patching the Import Address Table/Export Address Table which hold the addresses for the SSL functions (returns the address of the malicious routine instead of the original routine -> the malicious routine redirects to the original routine after logging down all the data which was being sent to the original routine).

Banking malware like Kronos had Web Inject functionality whereas Zeus and Carberp relied on average form-grabbing techniques. Both of which in this context were performed after compromising the browser processes memory. :(
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top