Ursnif Trojan Evolves to Pilfer Data, Record User Activity, and Download Malware

Although it's often classified as a banking Trojan, Ursnif's capabilities extend far beyond stealing victims' usernames and passwords for banking websites. It has keylogger functionality, it can exfiltrate all sorts of sensitive information, take screenshots and record video, and it can also be used as a downloader for additional malware. All in all, Ursnif (a.k.a. Gozi) is a multi-talented piece of malware. It's also one of the veterans on the scene.

It's been around since at least 2007, and although there are no statistics on how many people it's affected, chances are, the number is huge. It's showing no signs of slowing down, either. Earlier today, Cybereason reported on a new wave of spam emails carrying Ursnif in Japan. But how can the Trojan survive for this long and still remain a properly nasty threat?

This Week in Malware Ep 10: Ursnif malware Leverages MS Excel 4.0 via Macro Functionality

Ten Years Worth of Updates Further Empowers Ursnif

Its success would have been impossible without the countless updates it has received over the last ten years. The threat actors have added plenty of features to make Ursnif what it is today, and they've also invested a huge amount of time and effort into making it extremely hard to detect and analyze. The latest variant which was examined by researchers from Forcepoint can serve as a testament to this.

It comes on the back of spam emails that purportedly carry some payment information. A password-protected Word document is attached, and the password is placed in the body of the email.

Surprisingly or not, the attachment doesn't carry any macros. Instead, there appear to be three other DOCX files embedded inside the document which apparently contain more information on a transaction the victim has processed (or is about to process). Of course, this is just a disguise. The three DOCX files are actually VBS scripts that download the malicious payload and infect the host computer with Ursnif. The whole process is a bit more complicated than you might think, though.

Once the VBS script is run, it connects to one of two hardcoded locations and downloads a DLL which is highly obfuscated and full of garbage code. The library is loaded through rundll32, and once it's launched, it drops another DLL file. One of the main tasks of the second DLL is to make sure that the malware isn't being analyzed.

What's Old is New Again

In the past, Ursnif has used a variety of anti-analysis mechanisms. Last year, for example, researchers saw the payload embedded inside a picture of a kangaroo (the campaign, rather fittingly, was aimed at Australian users). They've also seen the Trojan sit idle before the execution starts in order to avoid sandbox environments and automated analysis tools. Last year, Ursnif was even checking whether there are more or less than 50 running processes on the host system. The idea behind this is that while a physical PC is more than likely to have this number of processes running at the same time, a virtual machine will probably be optimized to handle fewer tasks simultaneously. As you can see, Ursnif's authors have come up with some pretty clever anti-analysis techniques. With the latest version, however, they have really outdone themselves.

When the second DLL is loaded, it monitors the movement of the mouse. With this, believe it or not, the malware tries to avoid analysis.

The logic behind it is that when researchers put the sample in a virtual machine and try to analyze it, they are likely to simply leave the mouse alone and wait for something to happen. By contrast, an unsuspecting victim will most probably continue about his/her day.

If the mouse is moving, Ursnif calculates the delta value of the x- and y- coordinates of the last and current position and then places it in an extremely complicated mechanism which determines the sample's decryption key. The key decrypts the code and enables the extraction of a third DLL which is injected into the explore.exe process. This malicious library is responsible for the information-stealing operation. If the delta value is 0 (i.e. if the mouse isn't moving and the malware thinks that it's been placed in a virtual machine for analysis), the third DLL will not be extracted, and the infection will stop.

So, by monitoring what the user does with the mouse, Ursnif not only avoids the security specialists but also obtains the key it needs to achieve its ultimate goal – stealing information from victims. It's innovation like this that has turned the Ursnif Trojan into one of the most formidable threats of the last decade. Unfortunately, it's unlikely to stop here.