Ursnif – This banking malware just returned with new sneaky tricks to steal your data

Discussion in 'malware problems & news' started by mood, Mar 12, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    23,744
    This banking malware just returned with new sneaky tricks to steal your data
    The malware's code has been around for over 10 years, but attackers are still finding new ways to make it more dangerous
    March 12, 2019

    https://www.zdnet.com/article/this-...ned-with-new-sneaky-tricks-to-steal-you-data/
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,397
    Location:
    The Netherlands
    If you read the report, you can stop this particular attack by monitoring execution of cmd.exe and powershell.exe. It also helps to block explorer.exe from getting network access. I do wonder if HIPS like Comodo and SpyShelter would be able to block the code injection into explorer.exe, it's using a more advanced injection (QueueUserAPC injection) method. Too bad that nobody tests this stuff.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    Think again:
    https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/

    Additional ref.: https://docs.microsoft.com/en-us/windows/desktop/wmisdk/wmi-tasks--connecting-to-the-wmi-service

    Also UAC can be a possible mitigation: https://docs.microsoft.com/en-us/windows/desktop/wmisdk/user-account-control-and-wmi, but you have no need for UAC right?
     
    Last edited: Mar 16, 2019
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    Also note the persistence mechanism this bugger uses. Creates the autoruns entries at system shutdown and immediately deletes them at boot time. Virtually making it impossible to detect how it is begin started.

    -EDIT- Not bulletproof however. Can be detected in Safe node:
    Also the .dll injection into explorer.exe occurs after logon initialization. Assumed a HIPS rule monitoring explorer.exe modification would be sufficient to detect this.
     
    Last edited: Mar 17, 2019
  6. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,105
    blocking cmd explorer and ps is like grabbing the ball from behind the goal line - nonsense.
    as it is a payload some should sharpen its browser / mailer defense line to defeat payloads!
    speaking in conjuction to sandboxie - get a damn license and use forced folders...
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    Also this latest Ursnif variant has a Trusteer Rapport bypass although as noted below, it hasn't been validated:
     
    Last edited: Mar 17, 2019
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,397
    Location:
    The Netherlands
    I've read it, but this attack also starts with running powershell.exe, if you block this, all of the other stuff can't happen.

    Depends on what type of code injection methods is being monitored by the HIPS.

    I just copied the link from the original article?
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    I give up.:rolleyes:

    The article first states that macro started cmd.exe which spawned powershell.exe. Note it doesn't state how the macro did so. If the macro used the WMI interface; as only one example, you're dead meat.

    As you are found of stating, code a like execution and see if anything detects it.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,397
    Location:
    The Netherlands
    I assume that anti-executable will block cmd.exe and powershell.exe no matter how it's launched. It doesn't matter who the parent process is. So if you have some more info, please share it with us. Otherwise, I give up. :rolleyes:
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    Case in point from FIN8's malware playbook on how this Ursnif could be using WMI from the macro:
    https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html

    Err ……. so much for that new WD ASR mitigation in 1809.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    This outfit can dynamically change its attack on the fly:
    https://www.nccgroup.trust/uk/about...missary-panda-a-potential-new-malicious-tool/

     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,397
    Location:
    The Netherlands
    OK, so in other words, if you deny running of powershell.exe, you have already blocked this attack. Of course in a corporate network this isn't always possible, but process monitoring is still important. And that's exactly what so called EDR systems do, like Win Def ATP.

    You should take a look at EXE Radar, it has a so called "vulnerable process" list, and it will block (or alert about) system processes being launched that can be abused. AFAIK, it doesn't care about the parent process, which in this case is wmiprvse.exe, but perhaps you can test it.

    https://www.novirusthanks.org/products/exe-radar-pro/
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    Here's an example of how dangerous macro malware can be.

    A while back there was a nasty advanced threat bugger called Honeybee that was targeting S.E. Asia charitable concerns. This thing deployed a .cab from a macro to start things rolling. It then executed a .bat, again within the macro, to modify an existing service in the registry to run it immediately using a malicious .dll and; for persistence at boot time. McAfee has a detailed writeup on the bugger here: https://securingtomorrow.mcafee.com...t-campaign-targeting-humanitarian-aid-groups/ . Note: McAfee posted the malware code in the article as clear text. If you have any decent security software, it should throw an alert when the malicious batch script code is detected in the browser's cache files. Nothing to worry about since it is cmd based code.

    So how could all this crap run undetected? Macros have the able to run process code within the context of their own allocated memory space; i.e. shell. Think along the lines of a dynamically linked sub-program call versus an in-line statically linked sub-routine. Remember that macros after all, are assembler code. Here's an article on how to do it within a macro: http://www.suodenjoki.dk/us/productions/articles/vbashellexecute.htm. Additional reference here: https://docs.microsoft.com/en-us/windows/desktop/api/shellapi/nf-shellapi-shellexecutea.

    So how do you detect macro based malware? Use a security product with advanced memory scanning capability coupled with excellent "smart" code and behavioral signatures. Or, damn it, disable macro execution in all MS Office products that have this capability.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,397
    Location:
    The Netherlands
    I believe you're once again overthinking things. If you block MS Office from running other child processes like cmd.exe you have probably already stopped this attack. The monitoring of parent-child process execution is key. And why does MS Word need outbound network access, if you block this, then how will it download the dropper? And you can even stop it later in the chain, by blocking ipnet.dll from registering as a service.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    I give up …………….
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,397
    Location:
    The Netherlands
    No I give up, because you was also wrong about the other attack (see quote), funny that you didn't even respond to that. The problem is that you're overthinking things. I believe that's exactly the goal of these kind of articles, to confuse people into thinking it's quite hard to block these attacks. Like I said, a tool like EXE Radar will simply block powershell.exe, no matter who the parent process is. Any reaction to that?

     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,397
    Location:
    The Netherlands
    BTW, my comments were about the attack described above. It uses MS Word to download the dropper, and then it will use cmd.exe to load the CAB files, so in this case it's not clear if MS Word is directly executing cmd.exe, but that's not even important, since cmd.exe should be monitored anyway. I'm also guessing it's possible to block the modification to the COMSysApp service, but if not, then it becomes difficult since it tries to run under svchost.exe, which has full system privileges.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    One example of what an attacker can do with macros:
    https://labs.mwrinfosecurity.com/blog/dll-tricks-with-vba-to-improve-offensive-macro-capability/

    -EDIT- For clarification on the above reference to "Unmanaged PowerShell," it means:
    https://www.optiv.com/blog/unmanaged-powershell-binaries-and-endpoint-protection

    -EDIT 3/22- Lest some miss this, it also appears some "Unmanaged PowerShell" techniques in conjunction with macro deployment could bypass PowerShell "Constrained Language" mode. Note that it does not protect against this type of misuse:
    https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/
     
    Last edited: Mar 22, 2019
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    Appears out "friends" at Cybereason just gave a recent talk on Device Guard bypassing techniques: https://www.troopers.de/troopers19/agenda/p3apwp/. Of the two techniques discussed, one was, you guessed it, malicious macro use:
     
    Last edited: Mar 22, 2019
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    I am going to wrap up my discussion on macros with the statement that assuming blocking child process startup from an Office executable is an effective mitigation against macro malware is an erroneous assumption. This is noted in an extract from a posting from one of my favorite pen-tester web sites:
    https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,397
    Location:
    The Netherlands
    The thing is, you now come up with all kind of techniques (executing PowerShell commands without ever using PowerShell.exe) that were not discussed in this topic. Fact of the matter is, that attacks on MS Office all work in a different way. Some will make winword.exe or excel.exe load a malicious child process. Others will avoid that, and will somehow load cmd.exe or powershell.exe, or directly inject code into some other process.

    That doesn't take away the fact that process monitoring, and code injection monitoring is crucial. Like I said, a tool like EXE Radar and OSArmor will easily block most of these attacks, you should really check them out, perhaps it will make you less afraid of these attacks. Of course, there's a difference between protecting machines on a corporate network and protecting home user PC's, but on this forum the latter is mostly discussed.

    https://www.novirusthanks.org/products/osarmor/
     
  23. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    23,744
    Ursnif: The Latest Evolution of the Most Popular Banking Malware
    April 5, 2019
    https://securityaffairs.co/wordpress/83396/breaking-news/ursnif-banking-malware.html
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    23,744
    Phishing: Watch out for this new version of trojan malware that spreads through malicious Word documents
    A new version of Ursnif is being pushed via malicious Word documents with the aim of stealing bank information and other credentials
    August 8, 2019

    https://www.zdnet.com/article/phish...hat-spreads-through-malicious-word-documents/
    Fortinet: New Ursnif Variant Spreading by Word Document
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.