Ursnif (a.k.a Gozi), the well-known banking Trojan, continues to target millions of users all around the world. Unit 42 recently published a breakdown of the distribution networks used to deploy banking Trojans like Ursnif, specifically targeting Japan and several European nations. With its malware analysis evasion techniques, Ursnif has proven difficult for traditional security tools to detect.
How Does It Work?
Ursnif has used two primary delivery methods: malspam and exploit kits.
Ursnif has also been delivered via RIG exploit kits. When a victim visits a compromised website, he or she is redirected to the RIG landing page, from which the exploit profiles the victim’s system to determine which attack will work best, delivers the attack to compromise the victim’s browser, and delivers the malicious payload onto the victim’s machine.
In both instances, the malicious payload can detect malware analysis tools and check for virtualization. If it determines itself to be in an analysis environment, the payload will avoid conducting malicious activity, making it challenging to detect.
Why Is It Unique?
Ursnif is a widespread, evolving threat that deploys multiple features through multiple attack vectors. Newer versions of the threat allow attackers to steal browsing data such as banking and credit card information, acquire passwords via screenshots and keylogging, execute arbitrary second payloads, infect additional files to further victimize other machines, and communicate peer-to-peer between different Ursnif instances in the same network.
How Do You Stop It?
Palo Alto Networks Traps uses a multi-method approach to malware and exploit prevention that block threats like Ursnif, regardless of whether they are delivered via exploit kits or malspam.
Traps examines macros in Microsoft Office files as the files are opened, performing local checks to determine if the macros are malicious or not. If a macro is malicious, it is prevented from executing. If unknown, the file containing the macro is examined by local analysis via machine learning. In this process, Traps examines various file characteristics to determine if the macro is malicious or benign. Using threat intelligence available from WildFire, a machine learning model is trained to detect malware, including never-before-seen variants. Additionally, if configured to do so, Traps will automatically send the file containing the macro to WildFire for a series of checks, including static, dynamic and bare metal analysis for full hardware execution, to identify even the most evasive threats, like Ursnif.
To prevent exploits, Traps takes a unique approach, focusing on the techniques used by all exploit-based attacks, which rarely change. Traps also prevents attackers from identifying and targeting vulnerable endpoints by blocking the profiling attempts used by exploit kits with its Exploit Kit Fingerprinting Protection Exploitation Prevention Module.
By focusing on the core exploitation techniques and blocking profiling attempts used by exploits, Traps can prevent exploits as soon as they are attempted and before an endpoint can be compromised.
[Palo Alto Networks Research Center]