Aaron Mulgrew by Aaron Mulgrew | | Blog

Today, 1st December 2019, Deep Secure Researchers identified a new variant of the Ursnif Trojan that uses corrupted Word documents, white text and multiple layers of obfuscation to conceal itself. Deep Secure Senior Researcher Aaron Mulgrew reports.

Deep Secure has discovered a new variant of the Ursnif Trojan which focuses on stealing information from a user’s workstation. This variant is heavily obfuscated, using a combination of a corrupt file format, white text and macros to avoid detection.

Corrupted Word Document

Ostensibly a Word document, on opening, Word displays the following dialog indicating that the file is corrupted:

Corrupted word document notification

Opening the file in Notepad reveals that it contains some elements of an email message that could be responsible for the corruption:

Word document opened in a text editor

When these elements of the file are removed it is still identified as corrupt but can now be recovered by Word. A corrupt document cannot be analysed by detection-based defences such as anti-virus or sandboxing, suggesting that the attackers could be using corrupt word documents to conceal their intent.

Macro Code

Once recovered Word prompts the user to enable macros.

Word document on opening

This is the macro code embedded inside the Word document. 

Macro code embedded inside the word document

The code calls Powershell with a JSE file that was created on disk.  Unusually, this does not happen on open. This code is only called on exit, perhaps as a way of avoiding sandbox detection.

Document prompt where the payload is dropped onto the disk

The JSE file is created by copying the content of the document to a file in the users appdata\word folder. The code that is copied is white text. By making the text red, you can see the obfuscated JScript code below:

Word document with white text shown as red text for visibility

 Using sysmon, we can confirm that a file had been placed on disk and executed by powershell:

Sysmon powershell notification

Obfuscated Dropper File

The Javascript dropper file is very heavily obfuscated. 

Obfuscated Javascript dropper file

Deep Secure believes the tool the attackers have used to obfuscate the code has evolved over many months with multiple developers maintaining it, as there are clear variances of obfuscation patterns, along with comments lines written in both fluent and broken English.

By partially de-obfuscating the code, Deep Secure researchers were able to decipher the C2 server as being at: 185.130.104.187. This IP has been linked to previous Ursnif campaigns.

Remediation

Customers of Deep Secure Content Threat Removal are automatically protected from this trojan. Deep Secure’s unique approach to content transformation ensures that business content crossing the security boundary is rendered totally threat-free without the need to try and detect the presence of a threat. The malicious code is simply discarded during transformation.


View all posts

Are you ready to talk to Deep Secure?