So, today let’s talk about ursnif and its recents evolutions. I saw yesterday evening this blogpost riddled with errors (rovnix and ursnif are two different malwares), so here is my take on this. The first sample I found that sparkled my interest is dated from 24/04/2014, but I wouldn’t be surprised to see older samples with these characteristics as well. As you can see the kernelmode post I made with the sample config, “ISFB” is the internal ursnif (not rovnix !) name , and it was mainly the 2.2 version distributed at the time. I’d like to thank @kafeine for providing me with a lot of the samples analyzed in this post.
So, back to this 24/04/2014 sample. I was intrigued to see that there was now a string decryption function present in the binary. The function is quite simple. First we search for the .bss section which contains the encrypted strings. Then a XOR key is generated with the embedded date and the VirtualAddress + RawSize of the bss section. Here is what this function looks like with Hex-Rays :
The dll unpacking is almost the same (aplib). The only noticeable change is that the structure id is now “J1” instead of “FJ” in the PE Header (See picture below). One last big change is the injection of the Ursnif dll component in explorer, it was before dropped into %system32%. This injection is kinda crappy imo, the malware kills explorer and then spawn a new instance to inject itself into, not really that stealthy.
Onto the dll now. We got an url in the binary, maybe a C&C one (subjenec.tk). We got onto the embedded configuration now, and as you can see it is quite different. As the C&C was dead when I came upon this sample, I can’t provide anymore details on this.
600 -> ConfigTimeout 4320 -> ? 220.127.116.11/2.php <- encrypted data file 18.104.22.168:443 2022 -> Group
Next sample I got is from the 29/04/2014 and it has some interesting differences. We have some new strings which indicates the introduction of some anti-vm checks. The DLLs files are now stored as resources in the dropper with the names ‘C132’ and ‘C164’. A PRNG has also been added. This PRNG is from the rovnix source code and is used to generate unique GUID (As seen in bksetup.c).
00401785 PUSH ursnif2_.0040519C ASCII "ISFB REG FILE" 00401792 PUSH ursnif2_.004051AC ASCII "ISFB REG KEY" [...] 00401A7D PUSH ursnif2_.004051CC ASCII "HARDWARE\ACPI\DSDT\PTLTD_" 00401AB0 PUSH ursnif2_.004051E8 ASCII "HARDWARE\ACPI\DSDT\VBOX__" 00401AC7 PUSH ursnif2_.00405204 ASCII "HARDWARE\ACPI\DSDT\AMIBI"
Let’s talk about the dll module. Concerning the DGA / cab compression / C&C communication, the post does a good job analyzing it. I’ll just add that the DGA tld are not always the same between the few variants I have seen using it. In this campaign, the tld used are : .eu / .cn / .biz / .net / .com. The C&C address is termsrightfrthem.biz, now dead.
000000011C54 000010013654 0 c:\prj\ISFB\release(unpacked)\client.pdb <- pdb path found in the client.dll module .bss0:00407000 0000004B C version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x&wdata=%04u%02u%02u .bss0:0040704B 00000041 C version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s .bss0:0040708C 0000003D C version=%u&user=%s&server=%u&id=%u&crc=%x&wdata=%04u%02u%02u .bss0:004070C9 00000033 C version=%u&user=%s&server=%u&id=%u&type=%u&name=%s
Next sample I got has a timestamp dating it from the 10/06/2014, but no strings encryption this time. This is the sample 2 from the campaign 1 in the blog post, same variant as the previously described one. C&C I got with these :
havepassforcongressunu.net reignthrowfrominva.net accordinglytathdivine.com purseventspurpeoaunited.biz thathistoryinva.biz
Moving onto the next sample now, the first I got with Rovnix bootkit integration. It is interesting to note that Rovnix and Ursnif have been closely related in the past, sharing the exact same component unpacking code (“FJ” bytes in the structures in the PE Header to retrieve the aplib packed components), and the C&C infrastructure was the same (same panels). With the integration of the rovnix bootkit into ursnif the code of these two malwares is even more blended into ursnif. This sample has a timestamp dating it from the 20/06/2014. After unpacking the sample we can see that two new modules have been added into the dropper. These two new components are the Rovnix ring0 & MBR modules. The Rovnix bootkit install code is the same as the leaked install.c code.
RC6 Key : F223456789ABCDEF dissolutionsand.tk congressshoone.tk Additionnal config in the dll : 21600 22.214.171.124/l2.php 126.96.36.199:443 4099
Next bootkit sample I got is timestamped from the 01/08/2014. Interestingly enough, this time the C&C communication protocol is the cab one.
C&C urls : congressshoone.tk subjectneceare.tk Config : 21600 188.8.131.52/l2.php stangan.com:443 4109
This C&C was active until this week, and it reached ~70k bots in 3 months. Not bad for a Ursnif imo (sorry, no screenshots, I always forget). The panel wasn’t that interesting anyway.
Intriguing thing, a few variants seems to be distributed at the same time in the wild. In a sample with a timestamp dating it from the 28/06/2014, we have no bootkit but instead the DGA variant. TLD used in this one are .tk / .ru / .biz. / .com / .net. The C&C address was regisforbelowactu.net and the RC6 key is 0123456789ABCE21. The decrypted configuration 10 60 10 60 30 gives us nothing interesting. The same campaign with a 03/08/2014 timestamp has a slightly different config : 60 60 60 60 30 1004. The 13/08/2014 timestamped version gives us two more C&C urls : withouttheterms.com and ebibobrov3945.net. On the 18/08/2014 the RC6 key was changed to THe04ihgUaSZlMnP. Config was : 60 60 60 60 30 1000, and TLD were : .com / .net / .biz / .ru. On the 04/09/2014 I observed another big change in the C&C panel : they are now named IAP (see the picture below) and looks like a totally revamped version of the old panel. If you want to see the internals of a panel you can refer to the CSIS blogpost. Let’s see the config for this sample :
ourdeclendeavored.ru salapowersalonenature.ru circumestablished.su murdersknown.biz hisandsuchprov.ru assumeoppothgoverfaprote.biz assumeoppothgoverfaprote.info DK6IGT759QFVFF5V 300 60 300 300 300 10 4004
I got only one sample in july with a 23/07/2014 timestamp. This is very similar to the DGA variant with a few differences on the C&C / command parsing part (the main difference in fact is the disappearance of the DGA). This sample copies itself into %system32% and still injects its dll into explorer. RC6 Key for this variant: 5C3F6970EE00A01D, config : 10800 5400 300 600 300 60 1000. Let’s see an example of a request to the C&C :
On the few samples I have seen of this variant, the paths have always been the same :
tandlawsnative.su/ne_utils/front/xxx leendeilco-1000.su/ne_utils/front/xxx princlegislative.su/ne_utils/front/xxx
On the 10/09/2014 version :
I think I have covered almost all the important evolutions in ursnif from april to september. On the samples I got in september, there is nothing changing except the configs / c&c urls which are still being updated. It’s time to draw some conclusions about this now. I think there are three actively distributed ursnif variants in the wild.
- The first one, with the RC6 key F223456789ABCDEF is the blended ursnif with rovnix. The first trace of this variant I found go back to april and it is still active.
- The second one is the DGA based variant.The RC6 keys seems to change quite often, and this is the variant described in the CSIS post. They are operating the IAP C&C.
- The third one (and I’m not 100% sure about this one) is the .su C&C based variant. Least frequent one.
I hope this post has shed some light on the state of the ursnif threat and its recent evolution.
Edit 05/12/2014 :
Further proof that multiple versions of Ursnif are distributed itw :
Debug string inside a Ursnif binary with timestamp 16/07/2014:
ISFB_0d10: ISFB client DLL version 3.5, client ID: 1000
Debug string inside a Ursnif binary with timestamp 01/12/2014
ISFB_0a10: ISFB client DLL version 2.12, build 398, group 1000