Italian DHL-Themed Phishing leads to Ursnif, Spambot

PhishMe Intelligence™ recently intercepted a subtle, DHL-spoofing campaign delivering a heavily-obfuscated JavaScript file. When executed, this JavaScript file downloads and runs a variant of the Ursnif/Gozi-ISFB trojan. Ursnif, in addition to its banker and stealer pedigree, acts as a downloader to serve a nasty surprise to the infected system. This is the first time PhishMe Intelligence has observed Ursnif actively delivering a spambot onto an infected system. Given Ursnif’s usually stealthy tendencies, it is somewhat unusual to see such a pairing.

The Italian content can be approximately translated to English as:

Dear Customer,

Enclosed there is an important communication which requires attention within 24 hours. For personal reasons, you will have to download the document attached to the prerequisite.

Yours sincerely

DHL ITALIА

Figure 1: An example message from this campaign. All contact information within this message is forged and should not be considered indicative of compromise or malign activity within DHL.

The messages in this campaign use a tried-and-true social engineering construct—enticing the recipient to interact with the call-to-action; instill a sense of urgency with a time constraint; and, finally, explain away the suspicious nature of the attachment with reassuring, nonchalant language.

Inside the archive is a JScript Encoded script (.jse) file. Essentially a raw JavaScript file, this type of script is executed on Windows hosts using the WSH (Windows Script Host) engine.

Figure 2: Properties of a typical .jse file delivered during this campaign

The JavaScript code within this lightweight application is heavily obfuscated and uses a novel string deobfuscation routine. When coupled with excessive use of flow-control statements and extremely similar, nonsensical variable names, all of this makes the script not only resistant to static signature detection, but also indecipherable to human readers.

Figure 3: Snippet of the string deobfuscation routine. The main string decryption happens under ‘case 9’—the script uses the logical XOR (eXclusive OR) operator to decode strings passed to the routine.

The aim of this string decryption routine is to decode almost eight hundred URL-like strings. Most of these strings are invalid and appear to represent an attempt to foil automated dynamic analysis solutions. This is an effective tactic and can significantly hinder manual analysis.

Once the script has decoded its list of URLs and URL-like strings, it will attempt to contact each one in turn. The first two contactable URLs—that is, URLs that resolve and respond—are beacons, serving to alert an actor that the script has successfully executed. The bodies of both requests are empty, and the connection type is set to close, which means the server will close the connection as soon as the client has finished transmitting.

Figure 4: First HTTP beacon with 0-length body

Figure 5: Second HTTP beacon with 0-length body

In a somewhat bizarre behavior, the script will produce an error window when it contacts each of the beacon domains. Most likely, the function used to contact the beacon resources was designed to process a response body and throws an error when one is not received.

Figure 6: Error thrown by the script after contacting each of the beacon-points

Once the script has taken care of the required beaconing, it downloads a Windows executable with a .scr extension. Files with this extension are Windows Screensaver executables. Despite the ambiguity of the extension and file type, it is not uncommon to see .scr files delivered as part of an infection chain.

Figure 7: The JavaScript downloader retrieves an executable payload from a remote server

The downloaded executable is a sample of the Ursnif/Gozi-ISFB trojan, referred to as Ursnif in PhishMe Intelligence reporting. This is the first instance of Ursnif observed by PhishMe Intelligence in 2018. Prior to this, the last known campaign involving Ursnif occurred on 2017-11-30, and can be seen in Active Threat Report 10397. PhishMe® has previously blogged about Ursnif and the ways threat actors attempt to deliver it to victims.

Ursnif is amongst the longest running malware dynasties to have ever existed—dating back as early as 2007. The source code was leaked in 2010, which led to many modified versions and copycats. This particular variant of Ursnif, believed to be a third revision, is incredibly sophisticated. It is capable of an immense amount of data exfiltration techniques, as well banking redirection and downloading of additional payloads.

Ursnif’s function set is expansive:

  • Keylogging
  • Video and screen capturing
  • Data theft (stored credentials, keys, tokens)
  • Web Injects (add code to banking sites)
  • Man-in-the-Browser attacks
  • TOR client installation
  • Remote Administration
  • File infection
  • Advanced Process Injection
  • SOCKs proxy (funnel traffic through its own proxy)
  • Domain and URL blocking
  • Steals cleartext passwords off-the-wire
  • Windows API patching
  • Update functionality (keep the infection present)

This is only a snippet of the complete list and demonstrates just how formidable a piece of malware can become after consistent development for more than a decade.

During analysis, this variant of Ursnif downloaded an additional, encoded binary. This payload is decrypted, loaded into memory, and executed.

Figure 8: Ursnif downloads an additional, encoded binary

After a brief delay, this new binary begins to send spam messages to a predefined list of recipients. The message content is Italian dating spam, with no obvious malicious payload.

The message translates approximately to:

Subject: I want love good afternoonI’m looking for a relationshipI’ll give you a picture, after your answerI’m very funny, I like sportswrite meyoursVeronika

Figure 9: Downloaded spambot distributes dating spam

Infections of this type are exceptionally damaging to individuals and organizations alike. Ursnif affords threat actors the ability to gain a foothold within an organization, as well as simultaneously exfiltrating potentially critical and sensitive data through various C2 channels, including TOR and SSL-encrypted HTTP streams. Infecting files on remote file shares gives lateral movement capability with no direct interaction from the actors.

Additionally, Ursnif has many means of stealing credentials including keylogging, screen and video capture; wire-tapping, SOCKS redirections; and man-in-the-browser, web injects. It is almost certain that applications not using two-factor authentication will be compromised. Indeed, even those that are more secure are still vulnerable—Ursnif is perfectly capable of stealing tokens and other authentication objects.

Preventing such a catastrophic infection requires a multi-faceted security posture including attachment filtering (by content type) at the gateway, sandboxing and emulation technology on the boundaries and endpoints, and— perhaps most critically—conditioned, security-conscious staff who know to report suspect attachments.

Sign up for free threat alerts from PhishMe Intelligence and PhishMe Research.

 

Indicators of Compromise related to this campaign:

Files

Filename: 23384610.scr

MD5: c1993e190dffd6d136d7f0dc6fb0f253

 

Filename: asxzae.tif

MD5: 305941673900132e5499e8c503ba0f04

 

Filename: capian32.exe

MD5: c1993e190dffd6d136d7f0dc6fb0f253

 

Filename: opds.tif

MD5: 5ec9125d56cc7b1571c0389eb041ea6b

 

Filename: p.png

MD5: 077422be6543210435093d9ba8a51688

 

Filename: SL7561298.jse

MD5: 9a8f05cd3f7dbe5eff55f0c64f29a043

 

Filename: SL7561298.zip

MD5: 651912b13e25080f6ff5851fee88fadf

 

URls

hxxpp://www.xvcustomclub[.]it/shop/ri.php

hxxp://www.nauticasubacqueapescacolelli[.]it/files/ri.php

hxxp://www.studioprotec[.]com/gallery/test/3.scr

hxxp://mondomusicatania[.]it/wp-includes/ID3/asxzae.tif

hxxp://www.mondomusicatania[.]it/wp-includes/ID3/asxzae.tif

PhishMe is now Cofense.
City, University of London, selects PhishMe to provide the highest degree of phishing and ransomware protection

Leave a Reply