New Ursnif Bank Trojan Uses Fileless Infection To Steal Passwords & Remain Undetected

isBuzz, Information Security and Security Week, January 28, 2019, with comments by Ray DeMeo

Fileless Ursnif Trojan hits unsuspecting banks

A new Trojan variant called Ursnif is hitting banks, sneaking in under the radar and stealing users’ passwords and credentials. Researches wrote in a blog post that the Trojan uses a "fileless persistence, which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic.”

Attack starts with user-downloaded VBA macro, unfolds in stages

The researchers evaluated a malicious VBA macro (Visual Basic for Applications macro) that they received in the form of an alert. The alert contained a Microsoft Word doc with an image that asks users to enable macros with the malicious macro inside. Once activated, the macro executes PowerShell commands, prompted the download of the actual Ursnif malware.

The attack unfolds in stages. The macro contains a line of code to access the AlternativeText property of the Shapes object “j6h1cf,” a base64-encoded PowerShell command to “download Ursnif from its command and control (C&C) server and to execute it.” Registry data is created, and additional and PowerShell commands execute, one leveraging the Windows Management Instruction Command Line (WMIC) which uses PowerShell to extract the value of APHohema key, a hexadecimal-encoded PowerShell command.

In addition to its fileless execution techniques, the Ursnif Trojan uses CAB (Microsoft cabinet) files to create a compressed archive of the harvested data before extracting it. This has made it even more difficult to stop.

Fileless malware attacks take traditional security systems by surprise

A critical point is the fileless nature of this attack. Traditional security systems are completely ineffective at detecting fileless attacks, allowing them to easily get by defenses.

The Trojan has been around for years but this particular Ursnif attack is a popular new variant intent on accessing user credentials, infecting these banks stealing sensitive information.

"This is just the latest example of how antivirus and signature-based security tools are easily bypassed by creative hackers. There are hundreds of sophisticated hacker tools readily available that can be morphed into endless numbers of new-looking attacks with new signatures that aren’t recognized,” said Ray DeMeo, co-founder and COO, Virsec.

“We need to assume these threats will continue to get through and focus on stopping what the attackers are trying to achieve – corrupting applications, stealing valuable data or causing business disruption. We need to move beyond endless threat chasing to definitively protect the crown jewels – critical applications and infrastructure."

Read full isBuzz New Ursnif Bank Trojan Using Fileless Infection To Steal Pws article.

Read full InfoSecurity Fileless Infection Steals Creds with Bank Trojan article.

Read full Security Week Ursnif Trojan Uses Fileless Persistence and CAB for Stealthily Data Exfiltration article.