Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Ursnif Variant Shows Developers Are Careless

Researchers at Seculert have conducted an extensive analysis of the Ursnif banking Trojan and, in addition to finding a few improvements, they identified some mistakes made by the threat’s developers.

Researchers at Seculert have conducted an extensive analysis of the Ursnif banking Trojan and, in addition to finding a few improvements, they identified some mistakes made by the threat’s developers.

One of the changes spotted by experts is related to the malware’s sleeping feature, which increases its chances of evading sandbox detection. Sandboxing solutions typically analyze a file for only 2-3 minutes before moving on to the next sample. If a piece of malware becomes active only after a few minutes, it’s more likely to evade detection.

Earlier variants of Ursnif used sleep functions such as WaitForSingleObject or WaitForMultipleObjects for this task. However, the Trojan’s developers recently started relying on Microsoft’s Timers API, which, according to Seculert, is a unique approach.

Researchers also noticed some changes in the way Ursnif obfuscates outbound traffic in an attempt to avoid being detected by network security solutions that rely on communication pattern signatures to identify threats.

The domain generation algorithm (DGA) observed by experts in the new Ursnif variant creates domain names using words taken from a “license.txt” file hosted on Apple’s official website. However, the DGA is poorly coded and it contains a logic flaw that leads to the loss of one of the words creating the domain name.

“I believe the malware authors have no idea they have such a bug in their code because they are probably using the exact same piece of code to know which domains they should buy,” Ariel Koren, security researcher at Seculert, explained in a blog post.

Ursnif was one of the six banking Trojan families recently spotted targeting users in Canada. After reverse engineering its DGA, Seculert sinkholed one of the C&C domains and found a total of nearly 7,000 Ursnif infections over a period of five days. The highest number of infections was in Canada (3,734), followed by Poland (1,163) and the United States (958).

Koren pointed out that the DGA allows cybercriminals to easily change the file that provides the wordlist used for generating domain names.

Advertisement. Scroll to continue reading.

Another mistake made by Ursnif developers is that they left behind some code that makes it easy to run the malware in virtual environments. In order to conduct tests on their own virtual machines, the developers added a check that instructs the malware to ignore verifying the presence of virtual machines if the file “C:321.txt” exists on the system. This allows researchers to analyze the malware in VMs without making any configuration changes simply by adding the “321.txt” file to the system.

Related Reading: Carberp Successor Bolek Banking Trojan Emerges

Related Reading: Gozi Banking Trojan Campaigns Target Global Brands

Related Reading: Ramnit Banking Trojan Resumes Activity

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.