Ursnif Trojan – Stealthy Memory Execution

T1566.001 – Attackers send emails containing a malicious LNK file disguised as a PDF document, likely targeting business professionals in the United States.

T1140 – The LNK file uses certutil.exe to decode a Base64-encoded payload.

T1562.004 – The malware uses PowerShell commands to disable Windows Defender.

T1059.003 – The decoded payload is executed using cmd.exe, leading to the execution of the Ursnif banking Trojan.

T1071.001 – The malware establishes communication with a command-and-control (C2) server using web protocols, likely HTTP or HTTPS.

T1041 – The malware exfiltrates stolen sensitive information, such as banking credentials and personal data, to the C2 server.

Subject: Ursnif Trojan – Stealthy Memory Execution

Tactics: TA0011 Command and Control, TA0005 Defense Evasion, TA0002 Execution, TA0010 Exfiltration, TA0001 Initial Access

Technique: T1071.001 Application Layer Protocol: Web Protocols, T1059.003 Command and Scripting Interpreter: Windows Command Shell, T1140 Deobfuscate/Decode Files or Information, T1041 Exfiltration Over C2 Channel, T1562.004 Impair Defenses: Disable or Modify System Firewall, T1566.001 Phishing: Spearphishing Attachment

Procedure:

T1566.001 – Attackers send emails containing a malicious LNK file disguised as a PDF document, likely targeting business professionals in the United States.

T1140 – The LNK file uses certutil.exe to decode a Base64-encoded payload.

T1562.004 – The malware uses PowerShell commands to disable Windows Defender.

T1059.003 – The decoded payload is executed using cmd.exe, leading to the execution of the Ursnif banking Trojan.

T1071.001 – The malware establishes communication with a command-and-control (C2) server using web protocols, likely HTTP or HTTPS.

T1041 – The malware exfiltrates stolen sensitive information, such as banking credentials and personal data, to the C2 server.

Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0004 When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked., EAV0005 When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment.

Engagement Opportunity:

Implement a multi-layered engagement strategy:

  • User Education: Conduct security awareness training to educate users about phishing attacks and the dangers of opening suspicious attachments.
  • Endpoint Security: Deploy endpoint detection and response (EDR) solutions to monitor for malicious behavior, such as the execution of encoded payloads and the disabling of security tools.
  • Network Security: Implement network monitoring tools and intrusion detection systems (IDS) to identify and block suspicious network traffic, including C2 communication.
  • Deception Technology: Deploy deception assets, such as decoy files and fake credentials, to lure attackers and gather intelligence on their TTPs.

Exploits Vulnerability: Lack of User Awareness (Users are tricked into opening malicious attachments), Lack of Security Tooling (Organizations lack the ability to detect and analyze encoded payloads and malicious behavior), Lack of System Monitoring (Failure to detect the disabling of security tools and suspicious processes), Lack of Network Monitoring (Inability to identify and block C2 communication)

Threat Actor: Financially motivated cybercriminal group likely targeting business professionals.

Threat Objective:

Steal sensitive information, such as banking credentials, credit card information, and personal data, for financial gain.

Deception Opportunity:

  • Create a honeypot environment mimicking a typical business user’s workstation with realistic-looking but fake sensitive data.
  • Deploy decoy banking websites that mimic legitimate banking portals to capture login credentials and track attacker activity.
  • Plant misinformation within the network, such as fake financial documents or misleading network configurations, to confuse and misdirect attackers.

Sensor Data Placement: Application

Observable Level: Ephemeral Values

Scoring Rationale:

The attack involves a combination of observables at different levels, making it crucial to collect data from various sources. This allows for a more robust detection strategy that is less susceptible to evasion.

  • Sensor Data Placement: Application, User-Mode, Kernel-Mode (Data collected from various sources for a comprehensive view of the attack)
  • Observable Level: Ephemeral Values, Core to Adversary-Brought Tool, Core to Pre-Existing Tool, Core to Some Implementations of (Sub-)Technique, Core to Sub-Technique or Technique (Observables at different levels provide a layered defense approach)

Link to Report: https://cyble.com/blog/ursnif-trojan-hides-with-stealthy-tactics/

Link to Report II.:

Additional Comments:

The Ursnif Trojan is known for its modularity and ability to evade detection. Defenders should remain vigilant and adapt their security controls to counter this evolving threat.

Possible elements: Deceptive User Account with Canary Tokens

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

[1]: Initial Access - Phishing: Spearphishing Attachment - Deliver malicious LNK file within a ZIP archive, likely through spam emails (Core to Adversary-Brought Tool)
[2]: Defense Evasion - Deobfuscate/Decode Files or Information - Use certutil.exe to decode Base64-encoded payload (Core to Pre-Existing Tool)
[3]: Execution - Command and Scripting Interpreter: Windows Command Shell - Execute decoded payload (Core to Pre-Existing Tool)
[4]: Defense Evasion - Impair Defenses: Disable or Modify Tools: Disable or Modify System Firewall - Use PowerShell commands to disable Windows Defender (Core to Some Implementations of (Sub-)Technique)
[5]: Command and Control - Application Layer Protocol: Web Protocols - Establish connection with C2 server (Core to Sub-Technique or Technique)
[6]: Exfiltration - Exfiltration Over C2 Channel - Exfiltrate sensitive information over C2 channel (Core to Sub-Technique or Technique)

1 --> 2 (Lack of User Awareness)
2 --> 3 (Lack of Security Tooling)
3 --> 4 (Lack of System Monitoring)
4 --> 5 (Lack of Network Monitoring)
5 --> 6 (Lack of Network Monitoring)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

function Initial_Access_Phishing_Spearphishing_Attachment(target_email):
# Craft phishing email with malicious LNK file
# Send email to target_email
return malicious_lnk_file

function Defense_Evasion_Deobfuscate_Decode_Files_or_Information(malicious_lnk_file):
# Execute certutil.exe with malicious_lnk_file as input to decode Base64 payload
return decoded_payload

function Execution_Command_and_Scripting_Interpreter_Windows_Command_Shell(decoded_payload):
# Execute decoded_payload using cmd.exe
return intermediate_malware

function Defense_Evasion_Impair_Defenses_Disable_or_Modify_System_Firewall(intermediate_malware):
# Execute PowerShell commands to disable Windows Defender
return advanced_malware

function Command_and_Control_Application_Layer_Protocol_Web_Protocols(advanced_malware):
# Establish connection with C2 server using HTTP
return C2_communication_channel

function Exfiltration_Exfiltration_Over_C2_Channel(C2_communication_channel):
# Send sensitive information to C2 server over established channel
return success

Leave a Reply