New Ursnif Variant Shows Developers Are Careless

Researchers at Seculert have conducted an extensive analysis of the Ursnif banking Trojan and, in addition to finding a few improvements, they identified some mistakes made by the threat’s developers.

One of the changes spotted by experts is related to the malware’s sleeping feature, which increases its chances of evading sandbox detection. Sandboxing solutions typically analyze a file for only 2-3 minutes before moving on to the next sample. If a piece of malware becomes active only after a few minutes, it’s more likely to evade detection.

Earlier variants of Ursnif used sleep functions such as WaitForSingleObject or WaitForMultipleObjects for this task. However, the Trojan’s developers recently started relying on Microsoft’s Timers API, which, according to Seculert, is a unique approach.

Researchers also noticed some changes in the way Ursnif obfuscates outbound traffic in an attempt to avoid being detected by network security solutions that rely on communication pattern signatures to identify threats.

The domain generation algorithm (DGA) observed by experts in the new Ursnif variant creates domain names using words taken from a “license.txt” file hosted on Apple’s official website. However, the DGA is poorly coded and it contains a logic flaw that leads to the loss of one of the words creating the domain name.

“I believe the malware authors have no idea they have such a bug in their code because they are probably using the exact same piece of code to know which domains they should buy,” Ariel Koren, security researcher at Seculert, explained in a blog post.

Ursnif was one of the six banking Trojan families recently spotted targeting users in Canada. After reverse engineering its DGA, Seculert sinkholed one of the C&C domains and found a total of nearly 7,000 Ursnif infections over a period of five days. The highest number of infections was in Canada (3,734), followed by Poland (1,163) and the United States (958).

Koren pointed out that the DGA allows cybercriminals to easily change the file that provides the wordlist used for generating domain names.

Another mistake made by Ursnif developers is that they left behind some code that makes it easy to run the malware in virtual environments. In order to conduct tests on their own virtual machines, the developers added a check that instructs the malware to ignore verifying the presence of virtual machines if the file “C:321.txt” exists on the system. This allows researchers to analyze the malware in VMs without making any configuration changes simply by adding the “321.txt” file to the system.

Related Reading: Carberp Successor Bolek Banking Trojan Emerges

Related Reading: Gozi Banking Trojan Campaigns Target Global Brands

Related Reading: Ramnit Banking Trojan Resumes Activity