Security Experts:

Attack Combines Phishing, Steganography, PowerShell to Deliver Malware

URLZone Morphs Into a Downloader for Ursnif

Researchers have discovered a malware campaign targeting Japan and combining phishing, steganography, PowerShell, and the URLZone and Ursnif malwares.

The basic process described in a new report from Cybereason is a malspam campaign with a weaponized Excel document containing a PowerShell script that downloads steganographic images. The script extracts further Base64 and AES-encrypted and compressed PowerShell code from the images. This code subsequently downloads a stripped-down version of URLZone which is then used as a downloader for the Ursnif banking trojan.

The key elements of the campaign are that it is finely targeted against Japanese users, and that URLZone has been repurposed as an evasive downloader. The combination of PowerShell and steganography to deliver URLZone is an evasive technique to avoid detection.

The targeting comes first via the malspam campaign, and secondly through a series of location checks by the malware. The initial excel file uses a VBA macro to check the machine's country setting. If it is not 'Japan', the application closes; otherwise it proceeds. This script downloads, extracts and decodes more PowerShell code via a 600x600 pixel image. The extracted code then retrieves the initial payload, again steganographically hidden. The payload is extracted and decrypted -- and at this point a further geographic/language check is made. It uses the function (&Get-Culture).LCID to access the machine's language identifier and uses it as part of the decryption routine.

The initial payload is basically URLZone. URLZone, aka Bebloh and Shiotab, is a banking trojan that first appeared in 2009. It uses man-in-the-browser techniques and Windows API call-hooking to steal banking information. Its use against Japanese targets is not uncommon.

In this instance, however, it has been repurposed from a banking trojan into a downloader. More specifically, say the researchers, "the banking trojan capabilities were effectively stripped from this variant. In this variant, URLZone is used solely as a downloader for additional malware."

It seeks to evade detection and analysis through a series of anti-analysis checks. It checks the CPU brand, and if it is 'Xeon', the malware exits. It checks for Sandboxie, VirtualBox, and VMware. It performs an anti-debugging check and checks for the strings, 'sample', 'virus', and 'sandbox' in the process path. Finally, it creates a mutex with a string based on the name and install date of the machine, and if the mutex already exists, the malware terminates.

If all is well, URLZone launches explorer.exe and injects into it. (If this fails for any reason, it launches iexplorer.exe and injects there.) It initializes explorer.exe in suspended mode, creates a memory-mapped section, and writes itself to it. It writes shellcode to the memory of the suspended explorer.exe, which loads the portable executable written to the memory-mapped section of explorer.exe.

This version of URLZone is a downloader. It checks connectivity with Google and attempts to connect to a hardcoded C2 server. If this connection fails, if the server is off-line or has been taken down, it uses a DGA to find an alternative C2 (the DGA uses the previous domain as the seed for the newly generated domain name).

The C2 returns a list of addresses to URLZone, from which it downloads additional malware, writes it to a randomly named folder within the temp folder, and executes it. In this campaign, the final downloaded malware detected by Cybereason was the Ursnif banking trojan. New versions of Ursnif have been common since the source code was leaked in 2015, and Cybereason reported on an earlier Ursnif campaign, also targeting Japan, in March 2019. "The new variant," say the researchers, "features a stealthy persistence mechanism, revamped information-stealing modules focusing on mail clients and cryptocurrency, and targets Japanese security products."

Related: Ursnif Trojan Uses Fileless Persistence and CAB for Stealthily Data Exfiltration 

Related: Ursnif Trojan Uses New Malicious Macro Tactics 

Related: Kronos Banking Trojan Has Returned 

Related: Ursnif Banking Trojan Gets Mouse-Based Anti-Sandboxing 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.