Dissecting the latest Ursnif DHL-Themed Campaign

12/04/2018

Introduction

In the last weeks, a new variant of the infamous Ursnif malware was discovered hitting Italian users through a malspam campaign. In fact, Yoroi-Cybaze ZLAB isolated several malicious emails having the following content:

Subject: “VS Spedizione DHL AWB 94856978972 proveniente dalla GRAN BRETAGNA AVVISO DI GIACENZA”
Attachment: “GR930495-30495.zip”

The content of the attachment is a .js file and when it is launched, starts the infection by downloading other components from the Internet.

The Dropper

The initial dropper is an obfuscated javascript. Once run, it generates a lot of noisy internet traffic with the purpose to harden the detection of the real malicious infrastructures; as we can see from the following figures, the script contains a series of random-looking URLs it unsuccessfully tries to connect to, generating a huge volume of noise into the analysis environment.

Figure 1: Hard coded urls where the malware tries to connect to generate noise

Figure 2: Generated internet traffic noise

However, the real malicious action performed by the javascript is to create a batch file in the “%APPDATA%\Roaming\325623802.bat” path. The file is a simple script file containing the following code:

Figure 3: Extracted batch file

The script execution pops up to the screen a harmless “FedEx” brochure in pdf format used to decoy the victim, in the meanwhile it downloads and extract a PE32 executable file from a CAB archive hosted on a compromised Chinese website.

Figure 4: PDF downloaded to the internet and shown to the user

The second stage

The second stage of the infection chain is the “ppc.cab” file downloaded by the dropper to the “%APPDATA%\Roaming” location: it actually is a Microsoft Cabinet archive embedding an executable file named “puk.exe”.
The “puk.exe” file promptly spawns a new copy of its own process to make the debugging harder, then it starts several instance of the Internet Explorer process to hide its network activity inside legitimate processes.

Figure 5: spawned processes by the original “puk.exe”

The network traffic generated by the iexplore.exe processes points to the remote destination 149.129.129.1 (ALICLOUD-IN) and 47.74.131.146 (AL-3), part of the malicious infrastructure of the attacker.

Figure 6: C2 network traffic

The beaconing pattern recognized in the C2 communication is consistent with Gozi/Ursnif/IFSB/Dreambot malware variants. In addition, the particular “/wpapi/” base url adopted by the sample matches several malspam campaign tracked during the current year (rif EW. N070618, N030618, N010318).

Figure 7: Malware’s beaconing requests

Persistency

The third stage of the malware is designed to ensure its persistency into the infected system in the long run. It sets up a particular registry key containing chunks of binary data: “HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\6C174C70-DB2B-7E6F-C560-3F92C994E3E6”

Figure 9: Registry key written by the malware

Among the registry key shown above there is an entry named “ddraxpps”: this particular name has been also used into persistency mechanism of other Ursnif samples analyzed back in January. Also, the malware configures a key named “comuroxy” containing a wmic “process call create” command designed to invoke powershell code from the “ddraxpps” entry: C:\Windows\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\6C174C70-DB2B-7E6F-C560-3F92C994E3E6').ddraxpps))".

The “ddraxpps” registry key stores a hex string could be decoded applying a simple hex-to-ascii conversion, its content actually is the following obfuscated powershell code:

Figure 10: body of “ddraxpps” key

The first line of code shows a set of commands allowing the execution of some kind of payload encoded in decimal format. The array of numbers in at line two represents the actual executable payload in decimal notation.

$sagsfg="qmd";function ndltwntg{$sxpjuhsps=[System.Convert]::FromBase64String($args[0]);[System.Text.Encoding]::ASCII.GetString($sxpjuhsps);};

The third line, instead, contains a base64 encoded powershell snippet revealing the usage of a known payload injection technique: the “APC injection” or “AtomBombing”, used to infect the “iexplore.exe” process.

Figure 11: Commands of the third row of “ddraxpps” key

All the commands shown in Figure 11 are necessary to perform the operation of APC Injection: in the first variable “$jtwhasq” there is the import of the necessary library “kernel32.dll”, in particular the functions “GetCurrentProcess()” and “VirtualAllocEx()”. The second row provides the importing of of the functions “GetCurrentThreadId()”, “QueueUserAPC()”, “OpenThread()”. The third contains the real injection: while the first two lines contains the preparation of all imports, functions and relative parameters, the third one is the responsible of the execution of the actual APC Injection technique. The first step is to properly create a Virtual Section using the “VirtualAllocEx()” function of the current process, identified thanks to “GetCurrentProcess()”. The malware is then copied to the virtual section and, finally, this section is injected in a local thread within the "iexplore.exe" process thanks to the “QueueUserAPC()” function.

Conclusion

In the end, the whole infection chain could be summarized in four stages: the generation of network noise to hide the attacker’s infrastructure, the download of the executable payload, the achievement of persistence through the registry key installed and the checking and the download of the Ursnif modules.

Figure 12. Representation of the infection chain

Indicator of Compromise (IoC)

Here the list of indicator of compromise collected during the analysis:

- Dropurl:
  - hxxp:// groupschina.]com/tss/ppc.cab

- C2:
  - - 149.129.129.1
  - - 47.74.131.146
  - - 176.9.118.142
  - - grwdesign[.com
  - - rest.relonter[.at
  - - web2003.uni[.net
  - - web2341.uni5[.net
  - - in.ledalco[.at
  - - int.nokoguard[.at
  - - io.ledalco[.at
  - - rest.relonter[.at
  - - apt.melotor[.at
  - torafy[.cn

Hash:
- - 81798ea125359ca4e618a5619cd856f95f3fb809f5f3022a42563bd3b627f2ca puk.exe
- - 076a2fea06c3605927bd0d3acc4ed11db3c36a829aced06081c2e3ac9971f347 35623802.bat
- f2cd58860b6085b63634980a641ebcd9b4148982d681cad88f00b08b341c7bc1 ppc.cab

Yara rule

rule puk {
meta:
  description = "Yara rule for puk file"
  author = "Yoroi - ZLab"
  last_updated = "2018-11-21"
  tlp = "white"
  category = "informational"
strings:
$a = { A5 66 A5 8D 95 DC FE FF FF 52 8D 85 B4 FE FF FF } 
$b = { 2B 8D 18 FF FF FF 2B 4D }
condition:
all of them
}

This blog post was authored by Martire Luigi, Antonio Pirozzi, Luca Mella of Cybaze-Yoroi Z-LAB

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_gat_gtag_UA_209986505_1	1 minute	Set by Google to distinguish users.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.