Summary:
The Ursnif malware campaign targets business professionals in the U.S. using a sophisticated multi-stage infection method. It begins with a malicious LNK file disguised as a PDF, which executes a series of payloads leading to the deployment of Ursnif, a banking trojan. This campaign highlights the advanced techniques employed by cybercriminals to evade detection and steal sensitive information.
#Ursnif #MaliciousCampaign #BusinessTarget
The Ursnif malware campaign targets business professionals in the U.S. using a sophisticated multi-stage infection method. It begins with a malicious LNK file disguised as a PDF, which executes a series of payloads leading to the deployment of Ursnif, a banking trojan. This campaign highlights the advanced techniques employed by cybercriminals to evade detection and steal sensitive information.
#Ursnif #MaliciousCampaign #BusinessTarget
Keypoints:
Cyble Research and Intelligence Labs identified a malicious campaign likely targeting business professionals in the U.S.
The campaign uses a malicious LNK file disguised as a PDF, delivered via ZIP archives, potentially through spam emails.
The LNK file executes certutil.exe to decode and execute a malicious HTA file.
The HTA file contains VBScript that extracts and executes a lure document and a malicious DLL file.
The DLL acts as a loader, decrypting subsequent payloads and executing the Ursnif core component.
The Ursnif malware establishes a connection with a C&C server to download additional modules for stealing sensitive information.
The campaign employs advanced techniques to evade detection, including dynamic API resolution and encrypted payloads.
Recommendations include exercising caution with email attachments and implementing advanced email filtering solutions.
MITRE Techniques:
Phishing (T1566): Campaign likely reaches users through spam emails.
Command and Scripting Interpreter: Windows Command Shell (T1059.003): Executes certutil.exe to decode the next stage payloads.
Masquerading: Masquerade File Type (T1036.003): The .lnk file is named to appear as a PDF file to deceive users.
System Binary Proxy Execution: Mshta (T1218.005): Abuse mshta.exe to proxy execution of the malicious HTA file.
Deobfuscate/Decode Files or Information (T1140): Deobfuscates/decodes files or information.
Application Layer Protocol: Web Protocols (T1071.001): Sends HTTP POST requests to communicate with its C&C server.
Exfiltration Over C2 Channel (T1041): System information and potentially other data are exfiltrated over the established C&C channel.
IoC:
[SHA-256] fdc240fb8f4a17e6a2b0d26635d8ab613db89135a5d95834c5a888423d2b1c82 – Zip File
[SHA-256] dd20336df4d95a3da83bcf7ef7dd5d5c89157a41b6db786c1401bf8e8009c8f2 – Malicious LNK file
[SHA-256] 13560a1661d2efa15e58e358f2cdefbacf2537cad493b7d090b5c284e9e58f78 – HTA file
[URL] hxxps://docusign-staples[.]com/api/key – Remote server
[SHA-256] aea3ffc86ca8e1f9c4f9f45cf337165c7d0593d4643ed9e489efdf4941a8c495 – DLL file
[URL] budalixt[.]top/index.html – C&C
[SHA-256] 11a16f65bc93892eb674e05389f126eb10b8f5502998aa24b5c1984b415f9d18 – Similar LNK file
[SHA-256] 468d7a8c161cb7408037797ea682f4be157be922c5f10a812c6c5932b4553c85 – Similar ZIP file
Full Research: https://cyble.com/blog/ursnif-trojan-hides-with-stealthy-tactics/