Dissecting the latest Ursnif DHL-Themed Campaign

Introduction

In the last weeks, a new variant of the infamous Ursnif malware was discovered hitting Italian users through a malspam campaign. In fact, Yoroi-Cybaze ZLAB isolated several malicious emails having the following content:

  • Subject: “VS Spedizione DHL AWB 94856978972 proveniente dalla GRAN BRETAGNA AVVISO DI GIACENZA”
  • Attachment: “GR930495-30495.zip” 

The content of the attachment is a .js file and when it is launched, starts the infection by downloading other components from the Internet.

The Dropper

The initial dropper is an obfuscated javascript. Once run, it generates a lot of noisy internet traffic with the purpose to harden the detection of the real malicious infrastructures; as we can see from the following figures, the script contains a series of random-looking URLs it unsuccessfully tries to connect to, generating a huge volume of noise into the analysis environment.

Figure 1: Hard coded urls where the malware tries to connect to generate noise

Figure 2: Generated internet traffic noise

However, the real malicious action performed by the javascript is to create a batch file in the “%APPDATA%\Roaming\325623802.bat” path. The file is a simple script file containing the following code:

Figure 3: Extracted batch file

The script execution pops up to the screen a harmless “FedEx” brochure in pdf format used to decoy the  victim, in the meanwhile it downloads and extract a PE32 executable file from a CAB archive hosted on a compromised Chinese website.

Figure 4: PDF downloaded to the internet and shown to the user

The second stage

The second stage of the infection chain is the “ppc.cab” file downloaded by the dropper to the “%APPDATA%\Roaming” location: it actually is a Microsoft Cabinet archive embedding an executable file named “puk.exe”.
The “puk.exe” file promptly spawns a new copy of its own process to make the debugging harder, then it starts several instance of the Internet Explorer process to hide its network activity inside legitimate processes.

Figure 5: spawned processes by the original “puk.exe”

The network traffic generated by the iexplore.exe processes points to the remote destination 149.129.129.1 (ALICLOUD-IN) and 47.74.131.146 (AL-3), part of the malicious infrastructure of the attacker.  


Figure 6: C2 network traffic

The beaconing pattern recognized in the C2 communication is consistent with Gozi/Ursnif/IFSB/Dreambot malware variants. In addition, the particular “/wpapi/” base url adopted by the sample matches several malspam campaign tracked during the current year (rif EW. N070618, N030618, N010318).


Figure 7: Malware’s beaconing requests

Persistency

The third stage of the malware is designed to ensure its persistency into the infected system in the long run. It sets up a particular registry key containing chunks of binary data: “HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\6C174C70-DB2B-7E6F-C560-3F92C994E3E6”

Figure 9: Registry key written by the malware

Among the registry key shown above there is an entry named “ddraxpps”: this particular name has been also used into persistency mechanism of other Ursnif samples analyzed back in January.  Also, the malware configures a key named “comuroxy” containing a wmic “process call create” command designed to invoke powershell code from the “ddraxpps” entry: C:\Windows\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\6C174C70-DB2B-7E6F-C560-3F92C994E3E6').ddraxpps))".

The “ddraxpps” registry key stores a hex string could be decoded applying a simple hex-to-ascii conversion, its content actually is the following obfuscated powershell code:

Figure 10: body of “ddraxpps” key

The first line of code shows a set of commands allowing the execution of some kind of payload encoded in decimal format. The array of numbers in at line two represents the actual executable payload in decimal notation.

$sagsfg="qmd";function ndltwntg{$sxpjuhsps=[System.Convert]::FromBase64String($args[0]);[System.Text.Encoding]::ASCII.GetString($sxpjuhsps);};

The third line, instead, contains a base64 encoded powershell snippet revealing the usage of a known payload injection technique: the “APC injection” or “AtomBombing”, used to infect the “iexplore.exe” process.

Figure 11: Commands of the third row of “ddraxpps” key

All the commands shown in Figure 11 are necessary to perform the operation of APC Injection: in the first variable “$jtwhasq” there is the import of the necessary library “kernel32.dll”, in particular the functions “GetCurrentProcess()” and “VirtualAllocEx()”. The second row provides the importing of of the functions “GetCurrentThreadId()”, “QueueUserAPC()”, “OpenThread()”. The third contains the real injection: while the first two lines contains the preparation of all imports, functions and relative parameters, the third one is the responsible of the execution of the actual APC Injection technique. The first step is to properly create a Virtual Section using the “VirtualAllocEx()” function of the current process, identified thanks to “GetCurrentProcess()”. The malware is then copied to the virtual section and, finally, this section is injected in a local thread within the “iexplore.exe” process thanks to the “QueueUserAPC()” function.

Conclusion

In the end, the whole infection chain could be summarized in four stages: the generation of network noise to hide the attacker’s infrastructure, the download of the executable payload, the achievement of persistence through the registry key installed and the checking and the download of the Ursnif modules.

Figure 12. Representation of the infection chain

 

Indicator of Compromise (IoC)

Here the list of indicator of compromise collected during the analysis:

  • Dropurl:
    • hxxp:// groupschina.]com/tss/ppc.cab
  • C2:
    • 149.129.129.1
    • 47.74.131.146
    • 176.9.118.142
    • grwdesign[.com
    • rest.relonter[.at
    • web2003.uni[.net
    • web2341.uni5[.net
    • in.ledalco[.at
    • int.nokoguard[.at
    • io.ledalco[.at
    • rest.relonter[.at
    • apt.melotor[.at
    • torafy[.cn
  • Hash:
    • 81798ea125359ca4e618a5619cd856f95f3fb809f5f3022a42563bd3b627f2ca  puk.exe
    • 076a2fea06c3605927bd0d3acc4ed11db3c36a829aced06081c2e3ac9971f347 35623802.bat
    • f2cd58860b6085b63634980a641ebcd9b4148982d681cad88f00b08b341c7bc1 ppc.cab

Yara rule

rule puk {
meta:
  description = "Yara rule for puk file"
  author = "Yoroi - ZLab"
  last_updated = "2018-11-21"
  tlp = "white"
  category = "informational"
strings:
$a = { A5 66 A5 8D 95 DC FE FF FF 52 8D 85 B4 FE FF FF } 
$b = { 2B 8D 18 FF FF FF 2B 4D }
condition:
all of them
}