Repurposed malware features enhanced stealer modules and stealthy persistence mechanism

An enhanced version of the Ursnif banking trojan is being used in an ongoing campaign to steal Japanese users’ banking details, endpoint protection firm Cybereason warns.

Since its source code was made publicly available on GitHub back in 2015, Ursnif (also known as Gozi ISFB) has been modified for use by multiple hacking groups.

Last year, security companies started reporting attacks involving the Dreambot variant of Ursnif, which was infecting Windows machines via phishing emails.

In this campaign, malicious Office documents were found to contain the Bebloh trojan, which would act as a downloader for Ursnif after carrying out system checks.

Now, 12 months after reports of Ursnif/Bebloh attacks started to surface, Cybereason has discovered a new, as-yet-unnamed variant of the banking trojan – one which comes with enhanced stealing modules and a stealthy persistence mechanism.

Paranoid PowerShell

Since the start of 2019, Cybereason researchers have been observing a campaign that’s said to be specifically targeting Japanese users.

As with previous campaigns, this latest attack starts with a weaponized Office document attached to a phishing email. The malicious document asks the user to enable macros, which will check to see if the target PC has Japanese country settings.

Once the macro code has ensured that the machine is Japanese, it decrypts a PowerShell payload that is embedded in an image and executes Bebloh to memory, Cyberseason said in a threat report, published on Tuesday.

In turn, Bebloh will download the Ursnif loader from the attackers’ command and control server.

According to Assaf Dahan, senior director of threat hunting at Cybereason, although the newly observed Ursnif variant bears “great resemblance” to the Dreambot variant, it includes numerous new or revamped features, including:

  • A new persistence mechanism (last minute persistence that resembles Dridex’s persistence)
  • Revamped stealer modules (IE Stealer, Outlook Stealer, Thunderbird Stealer)
  • A cryptocurrency theft and disk encryption software module
  • An anti-PhishWall module to counteract PhishWall, a Japanese security product

Taken together, these improvements result in a particularly troublesome piece of banking malware that’s both stealthy and persistent.

Discussing the impact of this latest Ursnif campaign, Dahan told The Daily Swig: “Tens of thousands of users are being targeted by the criminal actors on a monthly basis across Japan.

“Banks should be using enterprise-grade behavioral detection products that catch these types of campaigns early and help to prevent data theft.

“We believe that the tables can be turned on adversaries and cybercrime will become unprofitable if companies go on the offensive and constantly hunt for threats in their networks.”


RELATED Emotet trojan implicated in Wolverine Solutions ransomware attack