I frequently see indicators of malicious spam (malspam) pushing Ursnif malware. Specifically, I often find Ursnif pushed by a long-running malspam campaign that uses password-protected zip attachments that contain word documents with macros designed to infected a vulnerable Windows host. The password has usually been 777 for the zip attachments. Word documents contained within those zip archives follow a specific naming convention. For example, a Word document from this campaign on December 2nd would be named info_12_02.doc.
Today’s diary reviews an Ursnif infection from this campaign that I generated in my lab environment on Monday, December 2nd.
The malspam and initial infection
Malspam from this campaign is spoofing replies to emails found on infected Windows hosts in the wild. Since these are possibly real people, I’ve redacted any sensitive information in the images below. As I already described, these emails contain password-protected zip archives, and these zip archives contain Word documents with macros to install Ursnif on a vulnerable Windows host. In this case, enabling macros on the Word document dropped a script file in the C:WindowsTemp directory, and the script file retrieved the initial Windows executable (EXE) file for Ursnif.
The infection traffic
Traffic generated by Ursnif infections follows relatively consistent patterns. During these type of Ursnif infections, we often find follow-up malware retrieved by the Ursnif-infected host. In this case, it was Dridex. The image below shows my Ursnif infection traffic filtered in Wireshark, and it highlights the URL that returned the initial Ursnif EXE.
Ursnif makes itself persistent through the Windows registry, where it copies itself and deletes the initial Ursnif EXE. Dridex is made persistent through DLL files that are called by legitimate system files copied to randomly-named directories established during the Dridex infection process. Dridex is made persistent through the Windows registry, a scheduled task, and a Windows shortcut in the Startup menu.
Indicators of Compromise (IoCs)
URL that retrieved initial Windows executable file for Ursnif:
- 188.120.241[.]200 port 80 – ragenommad[.]com – GET /edgron/siloft.php?l=utowen4.cab
URLs generated by initial Windows executable file for Ursnif:
- 23.202.231[.]167 port 80 – nxbpierrecjf[.]com – GET /images/[long string].avi
- 23.202.231[.]167 port 80 – spt71igina[.]com – GET /images/[long string].avi
- 109.196.164[.]8 port 80 – jyomacktom[.]top – GET /images/[long string].avi
Post-infection traffic after Ursnif has established persistence:
- 194.61.1[.]178 port 443 – m38kxy54t[.]com – HTTPS/SSL/TLS traffic generated by Ursnif
URLs generated by Ursnif-infected host to obtain follow-up malware:
- 77.93.211[.]211 port 80 – zontcentrum[.]ru – GET /wp-content/uploads/2019/11/2unovarios.rar
- 77.93.211[.]211 port 80 – zontcentrum[.]ru – GET /wp-content/uploads/2019/11/unovarios.rar
Post-infection traffic caused by Dridex:
- 5.134.119[.]57 port 443 – HTTPS/SSL/TLS traffic generated by Dridex
- 89.100.104[.]62 port 3443 – HTTPS/SSL/TLS traffic generated by Dridex
Malware and artifacts
- File size: 57,450 bytes
- File name: [name redacted].zip
- File description: password-protected zip archive from malspam (password: 777)
- File size: 63,466 bytes
- File name: info_12_02.doc
- File description: Word doc with macro for Ursnif
- File size: 238,080 bytes
- File location: hxxp://ragenommad[.]com/edgron/siloft.php?l=utowen4.cab
- File location: C:WindowsTempainJ45.exe
- File description: Initial Ursnif EXE retrieved after enabling Word macro
- File size: 495,616 bytes
- File location: C:Windowssystem3241ftQHUxTheme.dll
- File description: Dridex DLL persistent on the infected Windows host (1 of 3)
- File size: 499,712 bytes
- File location: C:Users[username]AppDataRoamingJC85wnMFPlat.DLL
- File description: Dridex DLL persistent on the infected Windows host (2 of 3)
- File size: 491,520 bytes
- File location: C:Users[username]AppDataRoamingL3CfQGVERSION.dll
- File description: Dridex DLL persistent on the infected Windows host (3 of 3)
A pcap of the infection traffic and the associate malware can be found here.
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.