Ursnif Trojan Adopts New Code Injection Technique

Minimalist · Dec 4, 2017

Most notable to this variant are modifications to the code injection techniques and attack strategies, Kessem said.

“In a redirection attack, the victim is diverted to a fake website hosted on an attacker-controlled server. The malware maintains a live connection with the bank’s legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim’s address bar. At that point, the malicious actors can use web injections to steal login credentials, authentication codes and other personally identifiable information without tripping the bank’s fraud detection mechanisms,” she wrote.
Click to expand...

https://threatpost.com/ursnif-trojan-adopts-new-code-injection-technique

Rasheed187 · Dec 4, 2017

I'm not sure what to think of this, it didn't become clear what new code injection was actually used. But it does seem to perform process hollowing on svchost.exe, that's why it's so important to simply block malware from the ability to run certain system processes as a child process. The new EXE Radar will give this option hopefully.

itman · Dec 4, 2017

Rasheed187 said: ↑

I'm not sure what to think of this, it didn't become clear what new code injection was actually used. But it does seem to perform process hollowing on svchost.exe, that's why it's so important to simply block malware from the ability to run certain system processes as a child process. The new EXE Radar will give this option hopefully.
Click to expand...

“We recently came across a Ursnif/Gozi-ISFB sample that manipulated TLS callbacks while injecting to child process. Though many of the malware binaries (or their packers) use some variation of GetThreadContext/SetThreadContext or CreateRemoteThread Windows API functions to change the entry point of the remote process during injection, this sample (and the related cluster) is using a relatively lesser-known stealth technique,” wrote Abhay Vaish and Sandor Nemes with FireEye’s Threat Research team.
Click to expand...

This little deviation from the standard textbook approach may cause some generic unpackers or tools to break following the execution flow, if they do not account for the technique.

The Stealthy Tweak

This buffer, when correctly placed at the offset, will represent the TLS directory offset for the process because offset 0x198 is the location of the TLS directory in PE executable, and the next DWORD represents the size of the directory (seen in Figure 2). Notice how the malware writes the offset 0x40 for directory and the size 0x18 bytes in an effort to point to the buffer it had already crafted at offset 0x40 with size 0x18 bytes.

The TLS directory structure, when used to parse out that buffer of 0x18 bytes, points to an offset containing a list of pointers representing AddressOfCallBacks.

If we take a look at offset 0xe058, it points to the list of AddressOfCallBacks (Figure 4), and if we go to the offset 0xe058 in memory we are pointed to the only callback address at offset 0xe068 - which is in fact the actual entry point code.

Finally, the malware unmaps the view using ZwUnmapViewOfSection and calls ResumeThread to begin malicious execution of its injected process (from the injected TLS callback address instead of the regular AddressOfEntryPoint listed in the PE header). Hence, the execution will first land at the injected TLS callback.
Click to expand...

https://www.fireeye.com/blog/threat...variant-malicious-tls-callback-technique.html

Rasheed187 · Dec 5, 2017

itman said: ↑

https://www.fireeye.com/blog/threat...variant-malicious-tls-callback-technique.html
Click to expand...

Yes, I did read it, but it doesn't sound like a new code injection method, more like a new technique to hide code injection from HIPS, but I might be wrong.

Log in or Sign up

Ursnif Trojan Adopts New Code Injection Technique

Minimalist Registered Member

Rasheed187 Registered Member

itman Registered Member

Rasheed187 Registered Member

Log in or Sign up

Ursnif Trojan Adopts New Code Injection Technique

Minimalist Registered Member

Rasheed187 Registered Member

itman Registered Member

Rasheed187 Registered Member

Useful Searches