The cybersecurity expert Brian Krebs: The malware has undergone a rebrand. Binary is virtually identical, and employs the same "MZ-as-alternative-entrypoint" trick.
Cybercrime attacks Italy users with the Ursnif malware, disguised as Super Mario, thanks to steganography. A spreadsheet builds a PowerShell command from individual pixels in a downloaded image
Italy users have been attacked by the Ursnif malware, disguised as Super Mario, with steganography. It has been discovered by Yoroi ZLab-Cybaze cyber security experts. The banking trojan is spreaded through mails that pretend to be payment notices. Inside, there is a malicious attachment, a spreadsheet, that builds a PowerShell command from individual pixels in a downloaded image of the famous plumber from Super Mario Bros. When executed, this command will download and install the payload. The cyber attacks, moreover, target only Italian users. In fact, once the content is enabled, its macros will be triggered that check if the computer is configured to use the Italy region. If not, it will exit the spreadsheet and nothing else happens. If yes, is downloaded an image of the well known videogame. Then, the cybercrime script starts extracting various pixels to reconstruct the PowerShell command.
There is an increasing use by cybercrime of steganography to launch attacks and avoid detection by security programs
According to Bleeping Computer, Bromium’s cyber security researchers stated that “the above code is finding the next level of code from the blue and green channel from pixels in a small region of the image. The lower bits of each pixel are used as adjustments to these and yield minimal differences to the perceived image. Running this presents yet more heavily obfuscated PowerShell”. This command will download the malware from a remote site, which then downloads the Ursnif banking Trojan. Steganographic cyber attacks are not new and are being used more often to avoid detection by security programs. Just recently a cybercrime malvertising campaign was discovered by Malwarebytes, that was utilizing this practice to install a payload hidden in advertising images.
Photo Credits: Yoroi Zlab