When the source code of a piece of malware gets released, it enables all sorts of hackers, from those that possess lesser technical skills to the highly proficient ones, just to take it and repurpose it for their specific needs. This is precisely the case with LOLSnif, a malware that is based on the Ursnif banking Trojan but has been modified with expanded functions heavily and turned into a VBS malware dropper. LOLSnif has been detected as part of several attack campaigns, and looking into its inner workings could turn out to be quite significant.
As an infiltration method, LOLSnif employs phishing emails carrying an encrypted ZIP file with the code for its decryption written in the body of the email. When the victim attempts to unpack the corrupted file, LOLSnif activates and starts the infection process. Its first action is to carry out several anti-analysis and anti-sandbox checks. The authors of LOLSnif have implemented multiple layers of functions to determine if the malware is being run in a sandbox environment. By creating a WMI instance, LOLSnif can look for information in the local machine's cimv2 category, allowing it to search for some common sandbox characteristics. It can check for the number of processor cores or the total physical memory running on the machine; if there are less than three cores or the memory is below 1023, the malware terminates its operation. A check also is done, looking for a rather comprehensive list of analysis tools, and if any are detected to be running, LOLSnif again shuts down. Further checks are carried out if the machine has logical volumes that are less than 60GB in size, or there are three or fewer files in the /temp and /downloads folders. Upon detecting Russian or Chinese localization of the operating system, LOLSnif also stops its execution.
As for the file structure, LOLSnif consists of two dynamic link library (DLL) files - a loader and a payload, designed to work on x86 architectures. While there are signs that the hackers plan to add functionality for x64-based systems, it hasn't been implemented yet. To interact with the Registry of the targeted machine, LOLSnif utilizes either native Win32 APIs or, as we mentioned earlier, Windows Management Instrumentation (WMI). It also uses COM interfaces extensively. To bypass the proxy configuration of the infiltrated network, it leverages Internet Explorer and sets it as the default browser, to contact its Command and Control servers without raising any alerts. It should be noted that LOLSnif is capable of downloading additional modules and payloads on the infected machine.
Security analysts have detected that LOLSnif has been a crucial part of several ongoing attacks that utilize three different botnets. The hackers appear to be somewhat confident in their malware's infiltration capabilities and its ability to remain under the radar because they keep reusing IPs and domains across several campaigns. Without any doubt, LOLSnif is a threatening malware with sophisticated obfuscation and expanded capabilities. Companies should take the necessary precautions and adopt appropriate cybersecurity protocols to protect their internal networks.