Described as one of the most prolific information-stealing malware programs, Ursnif has been around since at least 2013. For nearly three months, researchers have been observing a campaign that has introduced a new variant of Ursnif using delivery methods through Bebloh. According to the research, the most notable changes in this most recent version include a new, stealthy persistence mechanism, revamped stealing modules, cryptocurrency and disk encryption software module and an anti-PhishWall module.
Ursnif and Bebloh are both notorious for the amount of financial damage they cause worldwide, particularly in Japan. The adversaries are reportedly after the money but will try to capitalize on any other sensitive information they can access.
“The newly discovered Ursnif variant comes with enhanced stealing modules focused on stealing data from mail clients and email credentials stored in browsers. The revamping and introduction of new mail stealer modules puts an emphasis on the risk that trojans can pose to enterprises if corporate accounts are compromised,” wrote Cybereason researcher Assaf Dahan.
The attacks begin with a phishing email containing a weaponized Microsoft Office document that, when opened, prods the user to click on “enable content,” which executes the embedded macro code.
To ensure delivery, the malware uses enhanced country-targeted delivery methods identified by researchers as a modified VBA code that checks for Japanese settings on the infected machine. In addition, PowerShell compiles a .NET DLL that checks the Japanese language settings, along with an added IP geolocation check to ensure that the infected machine is in Japan, according to the research.
“This technique was previously seen in 2018, but the attackers modified the code in this version to make it less obvious and harder to detect,” Dahan wrote.
“What stands out in these campaigns is the great effort made by threat actors to target Japanese users, using multiple checks to verify that the targeted users are Japanese. These multiple tests prove to be quite effective not only in targeting the right crowd, but also in evading security products such as sandboxes, since the malicious code will not run unless the country/language settings are properly configured. We assess that this new wave of country-based targeted delivery is likely to become more and more popular in future campaigns.”