Info-stealing Malware Hits German and English-speaking Users

The Ursnif malware family is back, this time targeting the private data and financial activity of German, Russian and English-speaking users, Bitdefender warns.

Fig 1. Spam email in English

ursnif_de

Fig 2. Spam email in German

ursnif_ru

Fig 3. Spam email in Russian

Infection Data

According to data from Bitdefender’s antispam labs, some 10000 emails were sent as part of a global spam campaign targeting mostly Russian, German and English-speaking users.

Known as a spyware family, Ursnif is specialized in information gathering but is also capable of compromising a system completely. Ursnif usually propagates through spam emails, hides in an archive and awaits to be manually downloaded in order to be executed on the system. The sample analyzed by Bitdefender can execute a variety of operations based on the instructions it receives.

It can sniff credentials and other data related to Microsoft Outlook:

  • reg SoftwareMicrosoftWindows NTCurrentVersionWindows Messaging SubsystemProfilesOutlook
  • reg SoftwareMicrosoftOffice15.0OutlookProfilesOutlook

System data:

  • systeminfo.exe
  • taskslist.exe
  • driverquery.exe
  • reg.exe query “HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall” /s

Certificates and private keys from these locations:

  • My AddressBook
  • AuthRoot
  • CertificateAuthority
  • Disallowed
  • Root
  • TrustedPeople
  • TrustedPublisher

Ursnif can also restart the system, modify Windows Directory files and also collect or delete cookies or spy on the user’s browsing history. It can also take screenshots of the device screen.

The collected data is saved in temporary folders and is transmitted via HTTP to C&Cs which are generated using text from the US declaration.

The encrypted code has a section which contains configuration data that may change from sample to sample. In this case, the configuration data contains URLs and details about different banking services and processes.

ursnif_code

Fig 4. Decrypted config file

Bitdefender detects and blocks this threats as Gen:Variant.Kazy.616358, hash d2eed7c7a412246816ce3f9c67c40b39.

Bitdefender advises users to regularly update their AV solution in order to fend off keyloggers, spyware and other persistent threats.

This article is based on the technical information provided courtesy of Bitdefender Senior Antispam Researcher Adrian MIRON, malware researchers Victor LUNCASU, Alexandru RUSU and Ivona CHILI.

Leave a Reply