Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest
Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Light Markless Binary Defense Full Color Logo Light Markless

Search

Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Light Markless Binary Defense Full Color Logo Light Markless

SOC Alert! Uptick in Ursnif Distribution

Last Modified: Monday April 17, 2023

By

Binary Defense has noticed a recent uptick in Ursnif distributed using Reply-Chain attacks and password protected .zip files across multiple clients. Inside of the .zip files will be documents containing macros which execute and reach out to a Ursnif distribution server to download the payload.

The Reply-Chain attacks are carried out by infecting one victim, accessing their emails, locating an ongoing email chain, and then injecting their malicious file into the email chain. This is very effective, because it appears to come from a trusted source.

Ursnif seems to work in 3 stages:

  1. Initial loader is run and loads what we call the “Intermediate Loader” into memory.
  2. Using COM objects, the “Intermediate Loader” injects a malicious DLL file into running instances of iexplore.exe.
  3. Communicates through these hijacked iexplore.exe instances.

Additionally, Ursnif demonstrates some fileless capabilities. It installs itself in a Registry Key which will contain powerscript/mshta commands in order to pull down and re-execute itself. As everything else is done in memory, the file is not resident on the HDD, but instead exists in the Registry.

With this current campaign, once Ursnif is installed on a server, we typically see Trickbot dropped next, so cleaning machines as fast as possible is incredibly important.

Observed C2s to BLOCK:

sizfjalenk51[.]com

v25brigittet[.]com

k23ueugeniay[.]com

ztoy[.]top

qmiller[.]club

vipresleynz[.]com

jt23932[.]xyz

jecdkeay[.]com

bepkristagrant[.]top

RegKey Locations:

Depending on whether or not the Malware was ran in Admin mode or not, the persistence key is saved in the following location:

+ With Admin: HKLM:SOFTWAREAppDataLowSoftwareMicrosoft

+ Without Admin: HKCU:SOFTWAREAppDataLowSoftwareMicrosoft

It may also alternatively install to

HKCUSOFTWAREAppDataLowSoftwareMicrosoftClient

or

HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

However, as the filename is random, if installed to Run, you’ll need to analyze each of the keys in this location in order to identify if it did indeed drop there.

Avoidance:

As this is a very effective way of leveraging stolen email accounts, it is incredibly difficult to ensure the file you’ve acquired is legitimate. However, these files all seem to use document macros, and Binary Defense strongly recommends clients NOT EXECUTE MACROS.

Additionally, blocking the above C2s will help prevent further infections.

You May Also Like

Blog

Apr. 16, 2024

Diving into Hidden Scheduled Tasks 

ARC Labs conducted research and identified gaps in traditional auditing mechanisms, highlighting the security implications of manipulating the SD registry value for a scheduled task.

Read More

Blog

Apr. 11, 2024

Sisense Data Compromise: ARC Labs Intelligence Flash

Read More

Blog

Apr. 9, 2024

Analyzing CryptoJS Encrypted Phishing Attempt 

Read More