URLZone Morphs Into a Downloader for Ursnif
Researchers have discovered a malware campaign targeting Japan and combining phishing, steganography, PowerShell, and the URLZone and Ursnif malwares.
The basic process described in a new report from Cybereason is a malspam campaign with a weaponized Excel document containing a PowerShell script that downloads steganographic images. The script extracts further Base64 and AES-encrypted and compressed PowerShell code from the images. This code subsequently downloads a stripped-down version of URLZone which is then used as a downloader for the Ursnif banking trojan.
The key elements of the campaign are that it is finely targeted against Japanese users, and that URLZone has been repurposed as an evasive downloader. The combination of PowerShell and steganography to deliver URLZone is an evasive technique to avoid detection.
The targeting comes first via the malspam campaign, and secondly through a series of location checks by the malware. The initial excel file uses a VBA macro to check the machine’s country setting. If it is not ‘Japan’, the application closes; otherwise it proceeds. This script downloads, extracts and decodes more PowerShell code via a 600×600 pixel image. The extracted code then retrieves the initial payload, again steganographically hidden. The payload is extracted and decrypted — and at this point a further geographic/language check is made. It uses the function (&Get-Culture).LCID to access the machine’s language identifier and uses it as part of the decryption routine.
The initial payload is basically URLZone. URLZone, aka Bebloh and Shiotab, is a banking trojan that first appeared in 2009. It uses man-in-the-browser techniques and Windows API call-hooking to steal banking information. Its use against Japanese targets is not uncommon.
In this instance, however, it has been repurposed from a banking trojan into a downloader. More specifically, say the researchers, “the banking trojan capabilities were effectively stripped from this variant. In this variant, URLZone is used solely as a downloader for additional malware.”
It seeks to evade detection and analysis through a series of anti-analysis checks. It checks the CPU brand, and if it is ‘Xeon’, the malware exits. It checks for Sandboxie, VirtualBox, and VMware. It performs an anti-debugging check and checks for the strings, ‘sample’, ‘virus’, and ‘sandbox’ in the process path. Finally, it creates a mutex with a string based on the name and install date of the machine, and if the mutex already exists, the malware terminates.
If all is well, URLZone launches explorer.exe and injects into it. (If this fails for any reason, it launches iexplorer.exe and injects there.) It initializes explorer.exe in suspended mode, creates a memory-mapped section, and writes itself to it. It writes shellcode to the memory of the suspended explorer.exe, which loads the portable executable written to the memory-mapped section of explorer.exe.
This version of URLZone is a downloader. It checks connectivity with Google and attempts to connect to a hardcoded C2 server. If this connection fails, if the server is off-line or has been taken down, it uses a DGA to find an alternative C2 (the DGA uses the previous domain as the seed for the newly generated domain name).
The C2 returns a list of addresses to URLZone, from which it downloads additional malware, writes it to a randomly named folder within the temp folder, and executes it. In this campaign, the final downloaded malware detected by Cybereason was the Ursnif banking trojan. New versions of Ursnif have been common since the source code was leaked in 2015, and Cybereason reported on an earlier Ursnif campaign, also targeting Japan, in March 2019. “The new variant,” say the researchers, “features a stealthy persistence mechanism, revamped information-stealing modules focusing on mail clients and cryptocurrency, and targets Japanese security products.”
Related: Ursnif Trojan Uses Fileless Persistence and CAB for Stealthily Data Exfiltration
Related: Ursnif Trojan Uses New Malicious Macro Tactics
Related: Kronos Banking Trojan Has Returned
Related: Ursnif Banking Trojan Gets Mouse-Based Anti-Sandboxing
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Threat Actor Abuses SuperMailer for Large-scale Phishing Campaign
- Quantum Decryption Brought Closer by Topological Qubits
- IBM Delivers Roadmap for Transition to Quantum-safe Cryptography
- CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief
- Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyberattack
- Open Banking: A Perfect Storm for Security and Privacy?
- Apiiro Launches Application Attack Surface Exploration Tool
- Phylum Adds Open Policy Agent to Open Source Analysis Engine
Latest News
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
- Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
- Many Vulnerabilities Found in PrinterLogic Enterprise Software
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
