//
you're reading...
IT & TECHNOLOGY, Palo Alto Networks

Traps Sniffs Out Ursnif Banking Trojan


Ursnif (a.k.a Gozi), the well-known banking Trojan, continues to target millions of users all around the world. Unit 42 recently published a breakdown of the distribution networks used to deploy banking Trojans like Ursnif, specifically targeting Japan and several European nations. With its malware analysis evasion techniques, Ursnif has proven difficult for traditional security tools to detect.

How Does It Work?

Ursnif has used two primary delivery methods: malspam and exploit kits.

Most recently, Ursnif has been using malspam – emails containing malicious attachments – to target users in Japan. The attachment contains a JavaScript downloader that downloads Ursnif from a remote site and executes it on the user’s machine. Other Ursnif malspam attacks have involved password-protected Office document attachments, a technique that minimizes detection by automated analysis tools. The body of the email contains a password to access the attachment, increasing the appearance of the email’s legitimacy. When the victim opens the attachment, his or her system is infected, communication with a command-and-control server is established, and commands from the C2 server, such as installing additional threats, are sent periodically.

Ursnif has also been delivered via RIG exploit kits. When a victim visits a compromised website, he or she is redirected to the RIG landing page, from which the exploit profiles the victim’s system to determine which attack will work best, delivers the attack to compromise the victim’s browser, and delivers the malicious payload onto the victim’s machine.

In both instances, the malicious payload can detect malware analysis tools and check for virtualization. If it determines itself to be in an analysis environment, the payload will avoid conducting malicious activity, making it challenging to detect.

Why Is It Unique?

Ursnif is a widespread, evolving threat that deploys multiple features through multiple attack vectors. Newer versions of the threat allow attackers to steal browsing data such as banking and credit card information, acquire passwords via screenshots and keylogging, execute arbitrary second payloads, infect additional files to further victimize other machines, and communicate peer-to-peer between different Ursnif instances in the same network.

How Do You Stop It?

Palo Alto Networks Traps uses a multi-method approach to malware and exploit prevention that block threats like Ursnif, regardless of whether they are delivered via exploit kits or malspam.

Traps examines macros in Microsoft Office files as the files are opened, performing local checks to determine if the macros are malicious or not. If a macro is malicious, it is prevented from executing. If unknown, the file containing the macro is examined by local analysis via machine learning. In this process, Traps examines various file characteristics to determine if the macro is malicious or benign. Using threat intelligence available from WildFire, a machine learning model is trained to detect malware, including never-before-seen variants. Additionally, if configured to do so, Traps will automatically send the file containing the macro to WildFire for a series of checks, including static, dynamic and bare metal analysis for full hardware execution, to identify even the most evasive threats, like Ursnif.

To prevent exploits, Traps takes a unique approach, focusing on the techniques used by all exploit-based attacks, which rarely change. Traps also prevents attackers from identifying and targeting vulnerable endpoints by blocking the profiling attempts used by exploit kits with its Exploit Kit Fingerprinting Protection Exploitation Prevention Module.

By focusing on the core exploitation techniques and blocking profiling attempts used by exploits, Traps can prevent exploits as soon as they are attempted and before an endpoint can be compromised.

Learn more about Traps multi-method approach to malware and exploit prevention.

[Palo Alto Networks Research Center]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 119,161 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,247 other followers

Twitter Updates

Archives

June 2017
M T W T F S S
« May   Jul »
 1234
567891011
12131415161718
19202122232425
2627282930  
%d bloggers like this: