Malwarebytes cybersecurity experts: The malware campaign exploits Google searches on AnyDesk with a decoy site and a legitimate marketing platform.
Pedro Tavares: URSA trojan is targeting users in several countries, including Bolivia, Chile, Mexico, Argentina, Ecuador, Peru, Colombia, Paraguay, Costa Rica, Brazil, Spain, Italy, and Portugal since June 2020
URSA is targeting users in several countries, including Bolivia, Chile, Mexico, Argentina, Ecuador, Peru, Colombia, Paraguay, Costa Rica, Brazil, Spain, Italy, and Portugal since June 2020. It has been discovered by the cyber security expert Pedro Tavares, who wrote a threat analysis on the malware. It’s a trojan, and when installed on the victim’s devices, it collects passwords from browsers and from popular software such as FTP and email services and also performs banking browser overlay to lure the victims to introduce the banking credentials while the flow is executed – step-by-step – in the background by cyber criminals. The malicious code spreads via social engineering schemas – namely, phishing/malscam campaigns. In Portugal, the threat has been disseminated in-the-wild and impersonating four popular organizations, namely Vodafone, EDP (Energias de Portugal), MEO (Serviços de Comunicações e Multimédia, S.A), and Polícia Judicíaria – one of the police organizations responsible for criminal investigations in Portugal.
The cyber security expert: The malware has two loaders, several rounds of obfuscation and rabbit holes, and a low detection rate
According the cyber sdecurity expert, at first glance, the file downloaded via the malicious URL sent by cybercrime on the email scam is a zip file with an MSI (Microsoft Installer) inside. By analyzing the MSI file, it’s possible to observe that another file is available inside, and probably dropped when the MSI is executed. That file called px3q8x.vbs is a VBscript file responsible for loading and executing the next stages. Moreover, the file has a low detection rate. URSA has two loaders. First, a VBScript loader followed by several rounds of obfuscation and rabbit holes. The final VBScript is responsible for starting and dropping the files on disk and executing an AutoIt loader/injector. That binary injects into the memory via the Process Injection technique some DLLs, including a Delphi binary related to the banking overlay windows, and also the one that establishes all the communication with the C2 server.