Ursnif – This banking malware just returned with new sneaky tricks to steal your data

Discussion in 'malware problems & news' started by mood, Mar 12, 2019 at 2:42 PM.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,238
    This banking malware just returned with new sneaky tricks to steal your data
    The malware's code has been around for over 10 years, but attackers are still finding new ways to make it more dangerous
    March 12, 2019

    https://www.zdnet.com/article/this-...ned-with-new-sneaky-tricks-to-steal-you-data/
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,320
    Location:
    The Netherlands
    If you read the report, you can stop this particular attack by monitoring execution of cmd.exe and powershell.exe. It also helps to block explorer.exe from getting network access. I do wonder if HIPS like Comodo and SpyShelter would be able to block the code injection into explorer.exe, it's using a more advanced injection (QueueUserAPC injection) method. Too bad that nobody tests this stuff.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,236
    Location:
    U.S.A.
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,236
    Location:
    U.S.A.
    Think again:
    https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/

    Additional ref.: https://docs.microsoft.com/en-us/windows/desktop/wmisdk/wmi-tasks--connecting-to-the-wmi-service

    Also UAC can be a possible mitigation: https://docs.microsoft.com/en-us/windows/desktop/wmisdk/user-account-control-and-wmi, but you have no need for UAC right?
     
    Last edited: Mar 16, 2019 at 5:09 PM
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,236
    Location:
    U.S.A.
    Also note the persistence mechanism this bugger uses. Creates the autoruns entries at system shutdown and immediately deletes them at boot time. Virtually making it impossible to detect how it is begin started.

    -EDIT- Not bulletproof however. Can be detected in Safe node:
    Also the .dll injection into explorer.exe occurs after logon initialization. Assumed a HIPS rule monitoring explorer.exe modification would be sufficient to detect this.
     
    Last edited: Mar 17, 2019 at 10:52 AM
  6. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,761
    blocking cmd explorer and ps is like grabbing the ball from behind the goal line - nonsense.
    as it is a payload some should sharpen its browser / mailer defense line to defeat payloads!
    speaking in conjuction to sandboxie - get a damn license and use forced folders...
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,236
    Location:
    U.S.A.
    Also this latest Ursnif variant has a Trusteer Rapport bypass although as noted below, it hasn't been validated:
     
    Last edited: Mar 17, 2019 at 11:24 AM
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,320
    Location:
    The Netherlands
    I've read it, but this attack also starts with running powershell.exe, if you block this, all of the other stuff can't happen.

    Depends on what type of code injection methods is being monitored by the HIPS.

    I just copied the link from the original article?
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,236
    Location:
    U.S.A.
    I give up.:rolleyes:

    The article first states that macro started cmd.exe which spawned powershell.exe. Note it doesn't state how the macro did so. If the macro used the WMI interface; as only one example, you're dead meat.

    As you are found of stating, code a like execution and see if anything detects it.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,320
    Location:
    The Netherlands
    I assume that anti-executable will block cmd.exe and powershell.exe no matter how it's launched. It doesn't matter who the parent process is. So if you have some more info, please share it with us. Otherwise, I give up. :rolleyes:
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,236
    Location:
    U.S.A.
    Case in point from FIN8's malware playbook on how this Ursnif could be using WMI from the macro:
    https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html

    Err ……. so much for that new WD ASR mitigation in 1809.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,236
    Location:
    U.S.A.
    This outfit can dynamically change its attack on the fly:
    https://www.nccgroup.trust/uk/about...missary-panda-a-potential-new-malicious-tool/

     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.