The latest signed campaign uses SHOECORP LIMITED corporate certificates to trick anti-viruses and download malware.
Yoroi-Cybaze ZLab: Ursnif, the malware that has been targeting Italy since 2018, is evolving with country-checks and over 10 levels of code obfuscation, in addition to a new steganography technique for Windows 10
Ursnif, the malware that has been targeting Italy since 2018, is evolving. It has been discovered by Yoroi-Cybaze ZLab cyber security experts, who closely observed its malspam campaigns and analyzed them to track the evolution of the techniques and the underlined infection chain. The researchers noticed an increasing sophistication. For instance the latest waves increased their target selectivity abilities by implementing various country-checks and their anti-analysis capabilities through heavy code obfuscation. More than ten level, in addition to a new steganography technique designed for Windows 10 machines. The attackers are still leveraging malicious Excel documents to lure their targets to start the infection chain, which are required to enable the macro code hidden inside these kind of vectors.
The cyber security experts: Some levels check for Windows version installed on the victim machine, others if the user is italian. Finally, the PE32 payload is downloaded from a very hidden drop-site location
According to the cyber security experts, once the Ursnif email has been opened, a fake obfuscated image invites the victim to enable the content, in order to start the malicious macro. However, moving the blurred figure away reveals the cell A1 contains hidden code: a Base64 encoded script. The macro retrieves the content from the first cell of the document and it subsequently concatenates it with the content of the six rows below the first one. Its execution starts the “powershell stage” of the infection: a long series of multi-layered obfuscated scripts. Some of them are used to delay the execution of the script through Sleep library function invocations. Others to checks for Windows version installed on the victim machine and if the user is italian. After ten levels of obfuscation, the PE32 payload is downloaded from a very hidden drop-site location.
The cybercrime actors behind the malware pose increased risks for Italian Companies and Organizations
Cybaze-Yoroi ZLAB team, who analyzed many Ursnif related attacks in the past months, believes the recent ones are showing evidence of an increasing sophistication and complexity. Especially in the weaponization phase of the attack killchain, in the preparation of such multi-layered and highly obfuscated infection chain to deliver the Ursnif payload. The cyber security experts, considering the volume and the insistence of this malware threat against the Italian panorama, underline that the Threat Groups behind these attacks are strongly leveraging an automated weaponization of the attacks, investing resources, time and money to prepare these complex and geo-located infection chains. Indicating Italy is persistently targeted by cybercrime actors who reached some degree of organizational maturity and keeps evolving their attack techniques, implying an increased risk for Italian Companies and Organizations.