The Italian content can be approximately translated to English as:
Enclosed there is an important communication which requires attention within 24 hours. For personal reasons, you will have to download the document attached to the prerequisite.
Figure 1: An example message from this campaign. All contact information within this message is forged and should not be considered indicative of compromise or malign activity within DHL.
The messages in this campaign use a tried-and-true social engineering construct—enticing the recipient to interact with the call-to-action; instill a sense of urgency with a time constraint; and, finally, explain away the suspicious nature of the attachment with reassuring, nonchalant language.
Figure 2: Properties of a typical .jse file delivered during this campaign
Figure 3: Snippet of the string deobfuscation routine. The main string decryption happens under ‘case 9’—the script uses the logical XOR (eXclusive OR) operator to decode strings passed to the routine.
The aim of this string decryption routine is to decode almost eight hundred URL-like strings. Most of these strings are invalid and appear to represent an attempt to foil automated dynamic analysis solutions. This is an effective tactic and can significantly hinder manual analysis.
Once the script has decoded its list of URLs and URL-like strings, it will attempt to contact each one in turn. The first two contactable URLs—that is, URLs that resolve and respond—are beacons, serving to alert an actor that the script has successfully executed. The bodies of both requests are empty, and the connection type is set to close, which means the server will close the connection as soon as the client has finished transmitting.
Figure 4: First HTTP beacon with 0-length body
Figure 5: Second HTTP beacon with 0-length body
In a somewhat bizarre behavior, the script will produce an error window when it contacts each of the beacon domains. Most likely, the function used to contact the beacon resources was designed to process a response body and throws an error when one is not received.
Figure 6: Error thrown by the script after contacting each of the beacon-points
Once the script has taken care of the required beaconing, it downloads a Windows executable with a .scr extension. Files with this extension are Windows Screensaver executables. Despite the ambiguity of the extension and file type, it is not uncommon to see .scr files delivered as part of an infection chain.
The downloaded executable is a sample of the Ursnif/Gozi-ISFB trojan, referred to as Ursnif in PhishMe Intelligence reporting. This is the first instance of Ursnif observed by PhishMe Intelligence in 2018. Prior to this, the last known campaign involving Ursnif occurred on 2017-11-30, and can be seen in Active Threat Report 10397. PhishMe® has previously blogged about Ursnif and the ways threat actors attempt to deliver it to victims.
Ursnif is amongst the longest running malware dynasties to have ever existed—dating back as early as 2007. The source code was leaked in 2010, which led to many modified versions and copycats. This particular variant of Ursnif, believed to be a third revision, is incredibly sophisticated. It is capable of an immense amount of data exfiltration techniques, as well banking redirection and downloading of additional payloads.
Ursnif’s function set is expansive:
- Video and screen capturing
- Data theft (stored credentials, keys, tokens)
- Web Injects (add code to banking sites)
- Man-in-the-Browser attacks
- TOR client installation
- Remote Administration
- File infection
- Advanced Process Injection
- SOCKs proxy (funnel traffic through its own proxy)
- Domain and URL blocking
- Steals cleartext passwords off-the-wire
- Windows API patching
- Update functionality (keep the infection present)
This is only a snippet of the complete list and demonstrates just how formidable a piece of malware can become after consistent development for more than a decade.
During analysis, this variant of Ursnif downloaded an additional, encoded binary. This payload is decrypted, loaded into memory, and executed.
Figure 8: Ursnif downloads an additional, encoded binary
After a brief delay, this new binary begins to send spam messages to a predefined list of recipients. The message content is Italian dating spam, with no obvious malicious payload.
The message translates approximately to:
Subject: I want love good afternoonI’m looking for a relationshipI’ll give you a picture, after your answerI’m very funny, I like sportswrite meyoursVeronika
Figure 9: Downloaded spambot distributes dating spam
Infections of this type are exceptionally damaging to individuals and organizations alike. Ursnif affords threat actors the ability to gain a foothold within an organization, as well as simultaneously exfiltrating potentially critical and sensitive data through various C2 channels, including TOR and SSL-encrypted HTTP streams. Infecting files on remote file shares gives lateral movement capability with no direct interaction from the actors.
Additionally, Ursnif has many means of stealing credentials including keylogging, screen and video capture; wire-tapping, SOCKS redirections; and man-in-the-browser, web injects. It is almost certain that applications not using two-factor authentication will be compromised. Indeed, even those that are more secure are still vulnerable—Ursnif is perfectly capable of stealing tokens and other authentication objects.
Preventing such a catastrophic infection requires a multi-faceted security posture including attachment filtering (by content type) at the gateway, sandboxing and emulation technology on the boundaries and endpoints, and— perhaps most critically—conditioned, security-conscious staff who know to report suspect attachments.
Sign up for free threat alerts from PhishMe Intelligence and PhishMe Research.
Indicators of Compromise related to this campaign: