Binary Defense has noticed a recent uptick in Ursnif distributed using Reply-Chain attacks and password protected .zip files across multiple clients. Inside of the .zip files will be documents containing macros which execute and reach out to a Ursnif distribution server to download the payload.
The Reply-Chain attacks are carried out by infecting one victim, accessing their emails, locating an ongoing email chain, and then injecting their malicious file into the email chain. This is very effective, because it appears to come from a trusted source.
Ursnif seems to work in 3 stages:
- Initial loader is run and loads what we call the “Intermediate Loader” into memory.
- Using COM objects, the “Intermediate Loader” injects a malicious DLL file into running instances of iexplore.exe.
- Communicates through these hijacked iexplore.exe instances.
Additionally, Ursnif demonstrates some fileless capabilities. It installs itself in a Registry Key which will contain powerscript/mshta commands in order to pull down and re-execute itself. As everything else is done in memory, the file is not resident on the HDD, but instead exists in the Registry.
With this current campaign, once Ursnif is installed on a server, we typically see Trickbot dropped next, so cleaning machines as fast as possible is incredibly important.
Observed C2s to BLOCK:
Depending on whether or not the Malware was ran in Admin mode or not, the persistence key is saved in the following location:
+ With Admin: HKLM:SOFTWAREAppDataLowSoftwareMicrosoft
+ Without Admin: HKCU:SOFTWAREAppDataLowSoftwareMicrosoft
It may also alternatively install to
However, as the filename is random, if installed to Run, you’ll need to analyze each of the keys in this location in order to identify if it did indeed drop there.
As this is a very effective way of leveraging stolen email accounts, it is incredibly difficult to ensure the file you’ve acquired is legitimate. However, these files all seem to use document macros, and Binary Defense strongly recommends clients NOT EXECUTE MACROS.
Additionally, blocking the above C2s will help prevent further infections.