Malware News Ursnif Trojan Uses New Malicious Macro Tactics

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Recently observed distribution campaigns featuring the Ursnif banking Trojan were using new malicious macro tactics for payload delivery, Trend Micro has discovered.

Malicious macros have been used for over a decade for malware distribution, and have become highly popular among cybercriminals over the past several years, despite Microsoft’s efforts to block them. They are used to drop all types of malware, including banking malware, ransomware, spyware, and backdoors.

The normal infection chain when malicious macros are used involves tricking the victim into enabling the macro in the document received via spam email. Next, malicious code (usually PowerShell) is executed to download and run the final payload.

The effectiveness of macros as a delivery method inspires miscreants to continue to use the technique and improve it, in an attempt to evade detection and hinder analysis. Ursnif’s operators have already shown a focus on evading sandbox detection, and recently adopted checks that allow them to do so.

One employed tactic is the use of AutoClose, which can run the PowerShell script after the document was closed, thus preventing detection that focuses on analyzing the macro itself. The method is easy to implement and Trend Micro says it is becoming a common feature in many malicious macros.

“After coercing the victim to enable macros, the macro waits for the would-be victim to close the document and only then will PowerShell execute. Sandbox detections might miss the malicious behavior since the malicious routines will only run after the document is closed,” the researchers say.

Another detection evasion technique involves enumeration variables, which allow attackers to check the Office version by comparing them to certain values, given that some of these variables are only present in later versions of Microsoft Office. One specific enumeration variable allows attackers to detect Office 2007, which is commonly used in sandboxes for automated analysis. Thus, if Office 2007 is detected, the macro won’t deploy.

Another sandbox evasion tactic involves the use of a filename check in the macro. This method is meant to counter sandboxes where the file is renamed to its MD5, SHA-1, or SHA-256 equivalent. Thus, if the script detects a long filename, the macro won’t execute the malicious routines.

The one thing that these samples had in common was the use of PowerShell scripts to download and execute the final payload. In all cases, that was a variant of the Ursnif Trojan, but other malware could also use them, the researchers admit.

“However, these are not unique to one malware; it is possible that others may be downloaded. As malware and their delivery methods continue to evolve, security must be updated as well. Users need to be protected with the latest solutions that can combat new and evolving threats,” Trend Micro concludes.
 

vemn

Level 6
Verified
Malware Hunter
Well-known
Feb 11, 2017
264
I think I'd seen this in one of the recent submitted samples in the forum. ><
 
  • Like
Reactions: XhenEd

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top