Blog Tricks and COMfoolery: How Ursnif Evades Detection

Bromium Ursnif Evades Detection Blog Image

March 7, 2019 Category: Breaking News, Threats By: Alex Holland Comments: 0

Tricks and COMfoolery: How Ursnif Evades Detection

  • Ursnif is one of the main threats that is effectively evading detection right now (at publication)
  • The dropper uses a COM technique to hide its process parentage
  • WMI is used to bypass a Windows Defender attack surface reduction rule
  • Fast evolution of delivery servers means detection tools are left in the dark

In February we saw a resurgence of Ursnif (also known as Gozi), a credential-stealing Trojan that was first uncovered in 2007 and has been active ever since. Alongside Emotet, this threat is one of the most pervasive and effective malware families currently being delivered through malicious spam campaigns.

The recent campaign we observed used a standard multi-stage malware delivery mechanism, consisting of a phishing email delivering a Microsoft Word dropper containing a VBA AutoOpen macro inside a password-protected zip file. When opened, the document downloads the Ursnif executable from a remote server using PowerShell WebClient.DownloadFile, WebClient.DownloadString or WebClient.DownloadData methods. Unlike many run-of-the-mill malicious spam campaigns, what’s interesting is how Ursnif’s operators link different techniques together to effectively socially engineer targets, evade perimeter detection and bypass one of Windows Defender’s attack surface reduction rules.

Ursnif infection chain Bromium blog

Ursnif infection chain

Effective Social Engineering

Ursnif’s operators commonly tailor the phishing lure used against targets to make the email appear more authentic. In this campaign, this was done by basing attachment names and the message body on businesses in the same or related industries, or those that are geographically close to the target. In one of the samples we analysed, the target was a manufacturer of a niche product. The zip attachment was named after a similar manufacturer in the same industry and the Word dropper containing the malicious macro was named ‘Request4.doc’, presumably to trick the target into thinking that it was a legitimate purchase order.

In addition to targeted lures, Ursnif campaigns often rely on exploiting the existing trust relationship between a compromised email account and the target. Instead of an unsolicited message, the target is commonly sent a phishing email from a compromised email account as a reply to an existing conversation between the sender and the target. The curiosity of receiving an unexpected attachment from a sender that is already known to the target might just be enough to entice a user into opening the attachment.

Attack Infrastructure

Ursnif has a fast-changing delivery and command and control (C2) infrastructure. Our research found that the average time from the registration of a domain used to host Ursnif executables to when a user first runs the corresponding Word dropper is less than 12 hours. The speed at which Ursnif’s operators can change its infrastructure gives web proxies and other perimeter security controls that rely on a traditional detection-based techniques little time to block the download of the malware. In one example, only one domain reputation service had classified the Ursnif delivery domain as malicious at the time when the Word dropper was run.

Blacklist report of an Ursnif delivery domain Bromium blog

Blacklist report of an Ursnif delivery domain

Encrypted Zip Attachment

The dropper is delivered inside a password-protected zip file, with the password in the email message body. The delivery of malware using this method is an old but effective technique for bypassing perimeter detection by malware scanners at the target’s email gateway. While some organisations will block inbound email containing password-protected zip files as a matter of policy, many will not do so because they are often used for legitimate reasons.

Bypassing an Attack Surface Reduction Rule

The dropper we identified in this campaign contains an obfuscated VBA AutoOpen macro, which runs each time the document is opened. The document uses the common trick of requesting the user to enable macros, if they are not already enabled.

Obfuscated VBA macro, partially showing the AutoOpen function and PowerShell command

Obfuscated VBA macro, partially showing the AutoOpen function and PowerShell command

The macro runs a Base64 encoded PowerShell command using the Win32_Process and Win32_ProcessStartup WMI classes. The resulting PowerShell instance is run as a child process of WmiPrvSe.exe (WMI Provider Host). This benefits the adversary by defeating detection techniques that rely on parent-child process relationships because the parent process ID of the Ursnif executable will be the process ID of WmiPrvSe.exe, instead of winword.exe. In our testing on Windows 10 Enterprise 1809, we found that this technique is effective at bypassing the Windows Defender attack surface reduction rule that blocks Office applications from creating child processes. In some of the samples, this was used in conjunction with a COM technique that also spoofed the parent process ID of the Ursnif process.

It is worth noting, however, that if