Italy is still suffering waves of cyber attacks with Ursnif malware. Cybaze-Yoroi ZLab dissected the banking trojan to understand its evolution
Italy is suffering waves of cyber attacks with Ursnif malware. The banking trojan has been dissected by the Cybaze-Yoroi ZLab cyber security experts to keep tracking the evolution of this persistent threat. They analyzed its multiple stages, each one with the purpose to evade detection, sometimes leveraging system tools to achieve its final objective: run the payload. The last wave, unlike previous, doesn’t leverage steganography or heavily obfuscated powershell payloads. Instead, it abuses a Virtual Basic Script (VBS), hidden into a compressed archive embedded within an innocent looking email referencing a summon. When users click on “Decreto” hyperlink, they are redirected to a Google Drive web page which opens a false page where a fake document is shown and it invites them to click on a download link. The file is an archive embedding two files: an obfuscated VBS and a legit image to deceive the victim.
The cyber security experts: The new wave of malware’ cyber attacks leverage a Virtual Basic Script (VBS), hidden into a compressed archive. The code is obfuscated and all the values are manipulated i. Ursnif is a serious threat for security of users data and company assets
Moreover, Cybaze-Yoroi ZLab cyber security experts found that the cybercrime VBS code is obfuscated to evade antivirus detection and, in order to confuse the analyst, all the values are manipulated in different steps: using many mathematical operations, very long random variable names and other content encoded in Base64 format. Furthermore, investigating the remote destination where the C2 is hosted, it results active since 05 March 2019, just a few times before the attack wave; destination unknown to many AV Vendors at time of attack, suggesting this portion of the infrastructure has been specifically prepared for the Italian landscape. Ursnif confirms itself as one of the most active and aggressive malware threats, spreading both worldwide and within the Italian cyber-landscape. Threat actors constantly update and vary their infection chains to avoid security controls and evade antivirus detection, luring users with context sounding email messages.