Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Ursnif Variant Shows Developers Are Careless

Researchers at Seculert have conducted an extensive analysis of the Ursnif banking Trojan and, in addition to finding a few improvements, they identified some mistakes made by the threat’s developers.

Researchers at Seculert have conducted an extensive analysis of the Ursnif banking Trojan and, in addition to finding a few improvements, they identified some mistakes made by the threat’s developers.

One of the changes spotted by experts is related to the malware’s sleeping feature, which increases its chances of evading sandbox detection. Sandboxing solutions typically analyze a file for only 2-3 minutes before moving on to the next sample. If a piece of malware becomes active only after a few minutes, it’s more likely to evade detection.

Earlier variants of Ursnif used sleep functions such as WaitForSingleObject or WaitForMultipleObjects for this task. However, the Trojan’s developers recently started relying on Microsoft’s Timers API, which, according to Seculert, is a unique approach.

Researchers also noticed some changes in the way Ursnif obfuscates outbound traffic in an attempt to avoid being detected by network security solutions that rely on communication pattern signatures to identify threats.

The domain generation algorithm (DGA) observed by experts in the new Ursnif variant creates domain names using words taken from a “license.txt” file hosted on Apple’s official website. However, the DGA is poorly coded and it contains a logic flaw that leads to the loss of one of the words creating the domain name.

“I believe the malware authors have no idea they have such a bug in their code because they are probably using the exact same piece of code to know which domains they should buy,” Ariel Koren, security researcher at Seculert, explained in a blog post.

Ursnif was one of the six banking Trojan families recently spotted targeting users in Canada. After reverse engineering its DGA, Seculert sinkholed one of the C&C domains and found a total of nearly 7,000 Ursnif infections over a period of five days. The highest number of infections was in Canada (3,734), followed by Poland (1,163) and the United States (958).

Koren pointed out that the DGA allows cybercriminals to easily change the file that provides the wordlist used for generating domain names.

Another mistake made by Ursnif developers is that they left behind some code that makes it easy to run the malware in virtual environments. In order to conduct tests on their own virtual machines, the developers added a check that instructs the malware to ignore verifying the presence of virtual machines if the file “C:321.txt” exists on the system. This allows researchers to analyze the malware in VMs without making any configuration changes simply by adding the “321.txt” file to the system.

Related Reading: Carberp Successor Bolek Banking Trojan Emerges

Related Reading: Gozi Banking Trojan Campaigns Target Global Brands

Related Reading: Ramnit Banking Trojan Resumes Activity

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.