A new Ursnif Trojan campaign has been detected that uses a new variant of the malware which uses fileless techniques to avoid detection. In addition to the banking Trojan, GandCrab ransomware is also downloaded.
Increase in Banking Trojan and Ransomware Combination Attacks
Ransomware attacks can cause considerable disruption to businesses, although a good backup strategy can allow businesses to recover quickly in the event of a successful attack without having to pay the ransom demand.
However, there has been a significant increase in phishing attacks that deliver not one but two malware variants – ransomware to extort money from companies but also an information stealer to obtain sensitive information such as login and banking credentials. Malware variants used in these attacks also have the capability to download other malware variants and gather system data and process information for use in further attacks.
These phishing campaigns allow hackers to maximize the profitability of attacks and make the attack profitable even if the business does not pay the ransom.
There have been several examples of these attacks in recent months. Earlier in January, warnings were issued about the combination of Ryuk ransomware with the Trickbot and Emotet Trojans – Two malware variants that are used in wire fraud attacks. Ryuk ransomware has been extensively used in attacks on U.S. healthcare providers. The combination with the banking Trojans makes the attacks far more damaging.
Now another campaign has been detected using different malware variants – The Ursnif Trojan and the latest version of GandCrab ransomware.
What Does the Ursnif Trojan Do?
The Ursnif Trojan is one of the most active banking Trojans currently in use. The main functions of the malware is to steal system information and bank account credentials from browsers. The latest variants of the Ursnif Trojan have also been used to deploy other malware variants such as GandCrab ransomware.
According to security researchers at Carbon Black, who identified the latest campaign, the Ursnif Trojan now uses fileless execution mechanisms to make detection more difficult. Instead of downloading and writing files to the hard drive – which can be detected – a PowerShell script downloads a payload and executes it in the memory. That payload then downloads a further file and injects it into the PowerShell process, ultimately resulting in the downloading of the ransomware.
When code is loaded in the memory, it often does not survive a reboot, although the latest variant of Ursnif has persistence. This is achieved by storing an encoded PowerShell command inside a registry key and subsequently launching the command via the Windows Management Instrumentation Command-line (WMIC).
Once information has been collected from an infected system, it is packaged inside a CAB file and sent back to the attackers C2 via encrypted HTTPS. This makes data exfiltration difficult to detect.
The Ursnif Trojan campaign uses email as the attack vector with infection occurring via a Word document attachment that contains a VBA macro. If the attachment is opened and macros are enabled (automatically or manually), the infection process will be triggered.
How Businesses can Protect Against Attacks
Due to the difficulty detecting the malware attack once it has started, the best way to protect against this attack is by improving anti-phishing defenses. It is important to prevent the malicious emails from being delivered to inboxes and to ensure that employees are trained how to identify the messages if they make it past email defenses. The former can be achieved with a powerful spam filtering solution such as SpamTitan.
Along with security awareness training for employees to condition them not to open emails from unknown senders or open attachments and enable macros, businesses can mount an effective defense against the attack.