Over the past couple of days, the Cofense™ Phishing Defence Centre has observed multiple campaigns that prompt the user to download what appears to be a life insurance invoice. The “invoice” gets delivered in the form of a zip file that contains a LNK file with content crafted to create an effective malware downloader tool. The malware it delivers: Ursnif.
The abuse of this file format represents another example of attackers using creative attack techniques and seemingly-benign file types to bypass security controls to deliver malware to protected environments. The success of these techniques may vary, but phishers will continue to innovate to identify methods that work for them.
In this blog post, we have picked a campaign that demonstrates this principle in action. The campaign pretends to come from AA Life Insurance with a subject of Life Insurance – Invoice. The email we have received is shown in Figure 1.
Figure 1 – AA Life Insurance Invoice Email
A click on the “View Invoice” button takes the user to
hxxp://nth-gen.co[.]uk/AA%20Insurance%20Invoice[.]zip, where the zip file “AA Insurance Invoice.zip” is downloaded. Extracting the zip file reveals a LNK file named “AA Insurance Invoice.lnk” as shown in Figure 2.
Figure 2 – Content of Zip File
Closer inspection of the shortcut file reveals that the shortcut file’s target is a terse script that invokes the Microsoft bitsadmin utility to download a malware payload. The Microsoft bitsadmin utility is used to invoke downloads using BITS (Background Intelligent Transfer Service), a specialized implementation of HTTP communications designed to facilitate asynchronous and load-balanced downloads of remote content such as Windows updates.
Here, the phisher has harnessed this Windows feature to download the payload “PACHANGAITV.exe” from hxxp://katherineroper[.]co[.]uk/newsite/ to the Windows temp directory and renames it to “Chaturnabte.exe”. After this happens, the payload “Chaturnabte.exe” is executed as demonstrated in Figure 3.
Figure 3 – Command Executed by LNK File
This executable represents the Ursnif binary placed on the infected machine. Once in place, this malware creates a new folder named “Keyboardeb” nested within the Windows AppData directory. This folder will be populated by log files generated by the keylogger functionality of the Ursnif malware.
Figure 4 – Keylogger Log Files in Keyboardeb Folder
Opening the log file with a text editor reveals not only the captured keystrokes but also which application was used. For example, Figure 5 shows an example where the Chrome browser was used to perform a search for “google.co.uk”.
Figure 5 – Opened Keylogger Log File
All files in the “Keyboardeb” directory are periodically uploaded to hxxps://86[.]105[.]18[.]64/index[.]html as shown in Figure 6. After these log files are sent to the command and control host, they are deleted from the directory.
Figure 6 – Keylogger File Upload
Using LNK files as an attack vector has been around for many years. While this technique is certainly not new, attackers always try to find new ways to leverage this attack vector. Common techniques related to the abuse of Windows shortcut files include launching PowerShell commands directly from the LNK file or, as seen in this campaign, making use of a legitimate Windows tool to download a malware payload.
Figure 7 – Infection Chain
This particular campaign is distributing the adaptable Ursnif malware, a contemporary member of a malware family dating back the better part of a decade. Members of this malware family represent some of the oldest banking trojans that have evolved over the years. These malware tools are designed to seek out credentials for email accounts, cloud accounts, cryptocurrency exchange platforms, and more in addition to the traditional banking and credit card accounts.
To protect yourself from banking and financial crimes trojans, make sure that you do not open attachments or links from unknown senders. If a message seems suspicious, report it and encourage personnel within enterprise environments to do the same. Furthermore, ensure that your systems are up to date and fully patched. If you have identified a trojan in your environment, you can use the indicators of compromise to block the associated IP addresses at your perimeter firewall and update other security devices in your environment to identify or block this threat.
Sign up for free threat alerts. Get phishing and malware trends delivered to your inbox: https://cofense.com/threat-alerts/
Indicators of Compromise
Infection URL: hxxp://nth-gen.co.uk/AA%20Insurance%20Invoice.zip
Infection URL Domain: nth-gen[.]co[.]uk
Infection URL IP: 18.104.22.168
File name: AA Insurance Invoice.zip
File size: 1062 KB
File name: AA Insurance Invoice.lnk
File size: 3KB
File name: Chaturnabte.exe
File size: 196 KB
Payload URL: http://katherineroper[.]co[.]uk/newsite/PACHANGAITV[.]exe
Payload URL Domain: katherineroper[.]co[.]uk
Payload URL IP: 22.214.171.124
Command & Control URL:
Command & Control URL IP: