Security Experts:

Ursnif Banking Trojan Uses New Sandbox Evasion Techniques

The actor behind the Ursnif banking Trojan has been using new evasive macros in their latest infection campaign, demonstrating continuous evolution of tools and techniques, Proofpoint researchers reveal.

In the latest observed distribution campaign, the Trojan is dropped onto the victim’s computer via weaponized Word documents. Before the infection takes place, however, the malicious macros in these documents check the machine to ensure that the Trojan can successfully evade detection and hinder analysis.

Previously, the threat would check for the public IP address of the infected machine and for the number of accessed Microsoft Word files to determine whether it was running inside a virtual environment. Now, the actor behind it, known as TA530, decided to add new sandbox evasion checks to the malicious macros, to better tailor the threat for evasion, researchers explain.

Following the recent update, the macro checks whether the filename contains only hexadecimal characters before the extension and ensures that there are at least 50 running processes with a graphical interface via Application.Tasks.Count. Moreover, it includes a process blacklist using Application.Tasks and has also expanded the list of strings it checks using MaxMind.

In the newly spotted campaign, the threat actor also used a Painted Event control (observed as Img_Painted) for macro execution when the user opened the document. Usually, malware uses autorun options for macro execution like Document_Open(), but Ursnif has decided to adopt said ActiveX control instead.

This week, a highly personalized spam campaign associated with this threat has been observed utilizing company names, personal names, titles, etc., to deliver the malicious Word documents. To lure the unsuspecting user to enable the macro, the document claims to be protected against unauthorized use. Once the user allows the macro to run, Ursnif ID “30030” is dropped, targeting Australian banking sites with web injects.

Following the update, the malicious macro checks if the Word filename contains only hexadecimal characters, because files submitted to sandboxes often use SHA256 or MD5 hash as the filename. Thus, the malicious payload is dropped onto the target system only if the filename contains letters after “f”, underscores, or spaces and if an extension is appended to it.

The macro also checks the number of running processes with a graphical interface, because real systems usually have more than 50 tasks, while sandboxes have as few as possible. Next, the macro performs a case-insensitive check against a blacklist of processes that could be present in a sandboxed environment, such as “fiddler”, “vxstream”, “vbox”, “tcpview”, “vmware”, “process explorer”, “vmtools”, “autoit”, “wireshark”, “visual basic”, and “process monitor”.

The macro also abuses the well-known geo-location service MaxMind to check whether the target machine is located in Australia, because it is targeting only this country in the latest campaign. More specifically, the macro checks that the results returned by MaxMind include “OCEANIA,” the region of the tropical Pacific Ocean that includes Australia.

The results are checked against an expanded list of blacklisted networks and the infection process is dropped if the target machine is located in one of these networks. Interestingly, in addition to security vendors, the list also includes networks belonging to “hospital”, “university”, “school”, “science”, “army”, “veterans”, “government”, and “nuclear.” Most probably, this check was included to minimize exposure to researchers and military or government entities, researchers say.

The actor behind this Ursnif campaign is also responsible for various other large-scale personalized attacks and is constantly adding new evasion techniques to the malicious macros used in infection campaigns. At the moment, the actor appears focused on preventing the execution of its malware on sandbox systems and on avoiding networks associated with security vendors and other entities.

“Over the last few years, malware sandboxes have become a more common component of the defenses that organizations and enterprises deploy to protect their users and their data. As the examples from this analysis demonstrate, threat actors are concentrating their research and innovation of malware sandbox evasion in an effort to remain ahead of their victims’ defenses,” Proofpoint researchers concluded.

Related: New Ursnif Variant Shows Developers Are Careless

Related: Multiple Banking Trojans Assault Users in Canada

view counter