The Ursnif banking Trojan, known for its malicious intent in stealing financial data, has resurfaced in a new and sophisticated campaign that uses advanced techniques to avoid detection and extract sensitive information. This campaign, identified by Cyble Research and Intelligence Labs (CRIL), primarily targets business professionals in the United States, aiming to infiltrate systems using the Ursnif trojan through a multi-stage, covert attack.
The research conducted by CRIL shed light on a malicious campaign that kicks off with a seemingly harmless LNK (shortcut) file disguised as a PDF document. Typically distributed through spam emails containing ZIP archives, unsuspecting users who open this file unknowingly activate a series of commands that eventually deploy the Ursnif banking trojan on their compromised systems. The campaign’s complexity lies in its ability to execute all malicious activities entirely in memory, making it challenging for traditional security solutions to detect the threat. Once the Ursnif trojan is installed, it establishes a connection to a Command and Control (C&C) server, initiating the download of additional malicious payloads that enable the attacker to pilfer sensitive data from the infected machine.
The infection chain starts with the opening of a ZIP file containing a malevolent LNK file. This deceptive file, appearing as a PDF named “staplesds02_23.pdf,” actually carries a double extension (.pdf.lnk) to trick users into believing it is a legitimate document. Upon execution, the LNK file triggers the Windows utility certutil.exe, decoding and executing the next-stage payload—an HTA file. The HTA file, executed by mshta.exe, contains a VBScript that displays a fake PDF lure document to deceive the victim while dropping a malicious DLL file onto the system. This DLL acts as a loader, decrypting embedded payloads such as shellcode and another DLL responsible for initiating the Ursnif core component.
The Ursnif trojan’s evasion tactics are particularly menacing as it bypasses traditional security checks by operating solely in memory, leaving minimal traces on the infected system’s disk. By decrypting shellcode through the DLL loader and executing a second-stage DLL containing the core Ursnif component, the trojan can connect with the attacker’s C&C server and start exfiltrating data without raising suspicion. Leveraging widely trusted system utilities like certutil.exe and mshta.exe helps the trojan evade detection, making it arduous for security tools to identify the threat.
The malicious payload analysis indicates that Ursnif’s communication with the C&C server is encrypted and customized to evade detection. Using APIs like CryptAcquireContextW and CryptEncrypt, the trojan securely communicates with the server, complicating the identification of its nefarious activities. Upon receiving instructions from the C&C server, Ursnif prepares to download additional malicious payloads, possibly expanding the attack with more malware or tools to escalate the operation. Advanced features such as creating a mutex to ensure singular malware instances running concurrently further enhance the trojan’s evasion techniques.
In conclusion, the Ursnif banking trojan poses a significant threat with its advanced evasion techniques and memory-based operations. Cyble recommends employing advanced detection systems, behavior-based monitoring, vigilant scrutiny of email attachments and links, robust email filtering, and strict monitoring of system utilities like certutil.exe and mshta.exe to mitigate the risk of such attacks. Additionally, deploying Endpoint Detection and Response (EDR) solutions, enforcing least privilege policies, and utilizing behavior-based detection mechanisms can bolster defenses against Ursnif and similar malware threats.