Traps Sniffs Out Ursnif Banking Trojan

Jun 06, 2017
4 minutes

Ursnif (a.k.a Gozi), the well-known banking Trojan, continues to target millions of users all around the world. Unit 42 recently published a breakdown of the distribution networks used to deploy banking Trojans like Ursnif, specifically targeting Japan and several European nations. With its malware analysis evasion techniques, Ursnif has proven difficult for traditional security tools to detect.

How Does It Work?

Ursnif has used two primary delivery methods: malspam and exploit kits.

Most recently, Ursnif has been using malspam – emails containing malicious attachments – to target users in Japan. The attachment contains a JavaScript downloader that downloads Ursnif from a remote site and executes it on the user’s machine. Other Ursnif malspam attacks have involved password-protected Office document attachments, a technique that minimizes detection by automated analysis tools. The body of the email contains a password to access the attachment, increasing the appearance of the email’s legitimacy. When the victim opens the attachment, his or her system is infected, communication with a command-and-control server is established, and commands from the C2 server, such as installing additional threats, are sent periodically.

Ursnif has also been delivered via RIG exploit kits. When a victim visits a compromised website, he or she is redirected to the RIG landing page, from which the exploit profiles the victim’s system to determine which attack will work best, delivers the attack to compromise the victim’s browser, and delivers the malicious payload onto the victim’s machine.

In both instances, the malicious payload can detect malware analysis tools and check for virtualization. If it determines itself to be in an analysis environment, the payload will avoid conducting malicious activity, making it challenging to detect.

Why Is It Unique?

Ursnif is a widespread, evolving threat that deploys multiple features through multiple attack vectors. Newer versions of the threat allow attackers to steal browsing data such as banking and credit card information, acquire passwords via screenshots and keylogging, execute arbitrary second payloads, infect additional files to further victimize other machines, and communicate peer-to-peer between different Ursnif instances in the same network.

How Do You Stop It?

Palo Alto Networks Traps uses a multi-method approach to malware and exploit prevention that block threats like Ursnif, regardless of whether they are delivered via exploit kits or malspam.

Traps examines macros in Microsoft Office files as the files are opened, performing local checks to determine if the macros are malicious or not. If a macro is malicious, it is prevented from executing. If unknown, the file containing the macro is examined by local analysis via machine learning. In this process, Traps examines various file characteristics to determine if the macro is malicious or benign. Using threat intelligence available from WildFire, a machine learning model is trained to detect malware, including never-before-seen variants. Additionally, if configured to do so, Traps will automatically send the file containing the macro to WildFire for a series of checks, including static, dynamic and bare metal analysis for full hardware execution, to identify even the most evasive threats, like Ursnif.

To prevent exploits, Traps takes a unique approach, focusing on the techniques used by all exploit-based attacks, which rarely change. Traps also prevents attackers from identifying and targeting vulnerable endpoints by blocking the profiling attempts used by exploit kits with its Exploit Kit Fingerprinting Protection Exploitation Prevention Module.

By focusing on the core exploitation techniques and blocking profiling attempts used by exploits, Traps can prevent exploits as soon as they are attempted and before an endpoint can be compromised.

Learn more about Traps multi-method approach to malware and exploit prevention.

Register for Ignite ’17 Security Conference
Vancouver, BC June 12–15, 2017

Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.