New Ursnif Malware Campaign Uses Fileless Infection to Avoid Detection

guest · Jan 24, 2019

New Ursnif Malware Campaign Uses Fileless Infection to Avoid Detection
January 24, 2019
https://www.bleepingcomputer.com/ne...n-uses-fileless-infection-to-avoid-detection/

Cisco Talos discovered that this new Ursnif campaign uses an already well-known payload delivery method which employs Microsoft Word documents containing a malicious VBA macro that will automatically run using AutoOpen if macros are already enabled.

Once executed on the victim computer [...] will eventually use iex to execute an Asynchronous Procedure Call (APC) Injection.
To inject itself in the compromised machine's memory and achieve fileless persistence the malware uses the following, quite convoluted, procedure:

The injection starts by allocating memory for the malicious DLL with VirtualAllocEx, targeting the current process. If the allocation is successful, it then copies the malicious DLL into the newly allocated memory with Copy. Once that is completed, QueueUserAPC is executed [...]
An extensive list of indicators of compromise (IOC) is available at the end of the Cisco Talos analysis [...]
Click to expand...

Rasheed187 · Jan 26, 2019

What I hate about these type of articles is that they fail to mention that malware still needs to run inside a certain process. And the process that it's running in they don't actually mention clearly, so it's for me to guess. But it's probably wmic.exe or powershell.exe, so if you restrict those, then I guess you're good.

Log in or Sign up

New Ursnif Malware Campaign Uses Fileless Infection to Avoid Detection

guest Guest

Rasheed187 Registered Member

Log in or Sign up

New Ursnif Malware Campaign Uses Fileless Infection to Avoid Detection

guest Guest

Rasheed187 Registered Member

Useful Searches