A new variant of the password-stealing Ursnif bank Trojan has been found in the wild delivering fileless infections while remaining undetected, according to Cisco Talos Intelligence.
In a blog post, researchers wrote that the banking Trojan employs “fileless persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic. Additionally, Ursnif uses CAB files to compress its data prior to exfiltration, which makes this malware even more challenging to stop.”
Researchers received an alert containing a malicious VBA macro coming from a Microsoft Word document that asked users to enable macros. Once enabled, PowerShell is executed and then another PowerShell command downloads the Ursnif malware.
Registry data is then created for the next stage of execution in which the command executes PowerShell using Windows Management Instrumentation Command-line (WMIC). Among the APIs imported from kernel32 were GetCurrentProcess, VirtualAllocEx, GetCurrentThreadID, QueueUserAPC, OpenThread and SleepEx, according to the blog.
Though researchers identified a list of files dropped, they also noted, “Filenames are hardcoded in the first PowerShell command executed, and vary by sample. This means that these indicators aren’t necessarily malicious on their own as filenames might collide with benign ones. If found with other indicators, it’s likely a Ursnif infection.”
An extensive list of malicious documents and C2 server domains were also listed among the indicators of compromise.
“This is just the latest example of how antivirus and signature-based security tools are easily bypassed by creative hackers. There are hundreds of sophisticated hacker tools readily available that can be morphed into endless numbers of new-looking attacks with new signatures that aren’t recognized,” said Ray DeMeo, co-founder and COO, Virsec.
“We need to assume these threats will continue to get through and focus on stopping what the attackers are trying to achieve – corrupting applications, stealing valuable data or causing business disruption. We need to move beyond endless threat chasing to definitively protect the crown jewels – critical applications and infrastructure.”