Installation
This malware can be dropped by other malware or can be downloaded when a user visits a compromised or malicious website.
Malware in this family can run from a PDF, MSI, or EXE file saved as <system folder>\temp\<random file name>.
It can run a copy of itself and then runs a batch file which deletes the original executable.
Variants can create the following files on your PC:
-
-
%windir%\system32\<random file name>.exe, for example
%windir%\system32\wsauth.exe
-
When the copy in the Windows directory is run, it drops and installs the driver
<system folder>\new_drv.sys. This component is used to provide stealth capabilities.
This malware is capable of downloading other malware and install it as an autostart application in the following location:
<Windows temporary folder>\<random number>.exe.
Malware in this family can modify the following registry entries:
In subkey:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value:
"ttool"
With data:
"<system folder>\9129837.exe"
In subkey:
HKLM\SYSTEM\CurrentControlSet\Services\<randomly generated service name>Sets value:
“Windows Software Protection” With data:
"%windir%\system32\<random file name>.exe –s", for example
"%windir%\system32\wsauth.exe –s"
In subkey:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value:
“Windows Software Protection” With data:
"%APPDATA%\<random folder name>\<random file name>.exe", for example
%APPDATA%\faxpinst\blasstub.exe
In subkey: HKCR\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: “ttool” or "avicvfat"
With data:<Windows temporary folder>\<random number>.exe
Spreads through...
Virus variants can spread to connected network and removable drives by injecting code into the following processes:
- chrome.exe
- explorer.exe
- firefox.exe
- iexplore.exe
- opera.exe
- safari.exe
- services.exe
The injected code is responsible for infecting files on connected network and removable drives, such as USB flash drives. It searches for and infects the following file types:
The virus can also drop a copy of itself on these drives, with the file name temp.exe.
Payload
Runs backdoor commands
When an malicious attack successfully gains control of the system, they'll be able to send commands to do the following actions:
- Capture screenshots
- Steal cookies
- Clear Cookies
- Steal certificates
- Reboot machine
- Start a SOCK proxy
- Upload a log file that contains user information
- Get a list of active running processes
- Terminate process
- Download and install a new executable
Collects information about your PC
The virus variant collects information about your PC, including:
- Installed drivers
- Installed programs
- Running services
- System information
It does this by running the following commands:
- driverquery.exe
- reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" /s
- systeminfo.exe
- tasklist /SVC
We have seen it send the collected information to the following domains:
- <random domain>/pki/mscorp/crl/MSIT%20Machine%20Auth%20CA%202(1).crl
- <random domain>/pki/mscorp/crl/msitwww2.crl
Steals sensitive information
The trojan variant attempts to steal sensitive data both in transit and in storage, and targets the following:
-
Clear text passwords in transit
The trojan attempts to steal clear text passwords transmitted over the network. The trojan listens to all network traffic on every interface on a given machine, checking if it contains strings from common protocols that transmit passwords in clear text - for example FTP, POP3, IMAP and TELNET. If found the stolen data is posted to a remote location.
-
Protected storage
The trojan attempts to steal passwords and credentials that are stored using protected storage.
-
Certificate store
Ursnif attempts to steal certificates and private keys from the certificate store.
-
Running processes
Ursnif variants inject code into running processes that patches the following APIs to redirect to its own code:
It does this to inspect and steal any relevant information passed to these APIs and to inject its own code into any newly created process. The stolen information is then posted to a remote site.
We've seen it connect to the following remote domains:
-
3rdpart2.ru
-
invasionusurp.co.cc
-
legislationname.co.cc
-
necessaryprote.co.cc
-
newlinecinema130.ru
Opens socks proxy
The trojan sets up a socks proxy on a random port. Proxy servers can be used by malicious hackers to hide the origin of malicious activity. The port information is posted to a remote host.
Update functionality
Ursnif variants allow unauthorized access to an affected machine. The trojan variant connects to a remote host with the trojan version information. If a newer version of the trojan is available from the remote host, it removes any currently running versions of the trojan before installing an updated version of itself.
Provides stealth
Variants of Win32/Ursnif drop a driver
<system folder>\new_drv.sys that is used to provide stealth to mask the files, registry entries, and processes used by the trojan.
Stops services
The trojan stops the following services in an attempt to disable the firewall and other security-related services:
Disables Internet Explorer settings
This malware disables the "Protected mode is currently turned off for the Internet zone" message in Internet Explorer by settting the following registry key:
In subkey: HKCR\Software\Microsoft\Internet Explorer\Main
Sets value: “NoProtectedModeBanner”
With data: 1
In subkey: HKCR\Software\Microsoft\Internet Explorer\Main
Sets value: “TabProcGrowth”
With data: 0
It also disables the "Protected mode" of Internet Explorer by setting the following registry key:
In subkey: HKCR\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: “2500"
With data: 3
Additional information
Win32/Ursnif stores configuration data under the following registry entry:
Creates the following mutex:
-
f2783f40-a99f-ea72-7429-e86dc6435a27
-
35f3554a-c421-0f0c-1efb-325f00e534e9
-
312c2f58-6ad7-0a4a-0c21-00e51efb325f
Analysis by Ray Roberts and Ferdinand Plazo
