Netskope named a Leader in the 2022 Gartner® Magic Quadrant™ for Security Service Edge. Get the Report.

  • Security Service Edge Products

    Protect against advanced and cloud-enabled threats and safeguard data across all vectors.

  • Borderless SD-WAN

    Confidently provide secure, high-performance access to every remote user, device, site, and cloud.

  • Platform

    Unrivaled visibility and real-time data and threat protection on the world's largest security private cloud.

Netskope Named a Leader in the 2022 Gartner Magic Quadrant™ for SSE Report

Get the report Go to Products Overview
Netskope gartner mq 2022 sse leader

Gartner® Quick Answer: How Does Netskope’s Acquisition of Infiot Impact SD-WAN, SASE, and SSE Projects?

Get the report
Quick Answer: How Does Netskope’s Acquisition of Infiot Impact SD-WAN, SASE and SSE Projects?

Netskope delivers a modern cloud security stack, with unified capabilities for data and threat protection, plus secure private access.

Explore our platform
Birds eye view metropolitan city

Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn more
Lighted highway through mountainside switchbacks

Prevent threats that often evade other security solutions using a single-pass SSE framework.

Learn more
Lighting storm over metropolitan area

Zero trust solutions for SSE and SASE deployments

Learn more
Boat driving through open sea

Netskope enables a safe, cloud-smart, and fast journey to adopt cloud services, apps, and public cloud infrastructure.

Learn more
Wind turbines along cliffside
  • Our Customers

    Netskope serves more than 2,000 customers worldwide including more than 25 of the Fortune 100

  • Customer Solutions

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification

    Netskope training will help you become a cloud security expert.

We help our customers to be Ready for Anything

See our Customers
Woman smiling with glasses looking out window

Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn more
Netskope Professional Services

Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn more
Group of young professionals working
  • Resources

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog

    Learn how Netskope enables security and networking transformation through security service edge (SSE).

  • Events & Workshops

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

Episode 15: Building Permanent Security Awareness

Play the podcast
Black man sitting in conference meeting

Read the latest on how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky

SASE Week

Netskope is positioned to help you begin your journey and discover where Security, Networking, and Zero Trust fit in the SASE world.

Learn more
SASE Week

What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn more
Four-way roundabout
  • Company

    We help you stay ahead of cloud, data, and network security challenges.

  • Why Netskope

    Cloud transformation and work from anywhere have changed how security needs to work.

  • Leadership

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Partners

    We partner with security leaders to help you secure your journey to the cloud.

Netskope enables the future of work.

Find out more
Curvy road through wooded area

Netskope is redefining cloud, data, and network security to help organizations apply Zero Trust principles to protect data.

Learn more
Switchback road atop a cliffside

Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain

Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn more
Group of diverse young professionals smiling

URSNIF Data Theft Malware Shared on Microsoft OneDrive

Aug 02 2016
Tags
Cloud Best Practices
Cloud Malware
Cloud Security
Netskope Threat Research Labs
Tools and Tips
Vulnerability Advisory

Netskope Threat Research Labs has observed the URSNIF data theft malware being shared among Microsoft OneDrive users. The malware was observed propagating via a malicious Microsoft Word macro which tricks the end user into opening the file and, if macros are disabled, enabling them. The Word macro is heavily obfuscated, making it difficult for traditional antivirus products to detect it. Additionally, a collection of anti-sandbox techniques are employed in attempt to subvert sandboxes and other run-time detection techniques.

Netskope Active Threat Protection detects the malicious Word file as “W97M.Downloadr.DVS” and the resulting URSNIF data theft malware as “Backdoor.Generckd.3415082”.

Analysis of Malicious Word Document

While analyzing this malicious Word document, we found a fake error trick used to lure the victim as well as several anti-sandbox techniques used to bypass automated sandboxes. Once the document file is opened, a very clever but illegitimate error message is shown to fool the victim. The error message looks like a genuine Word error as shown in Figure 1.

Figure1_dridex_doc

Figure 1: Word document with fake error message.

The error message shown in above Figure 1 lures the victim into enabling macros to correct the error encountered with this fake message. The document contains malicious macro code and we can see the code using VBA editor (use ALT + F11). The obfuscated macro code is shown in Figure 2.

Figure2_dridex_vba_code

Figure 2: Obfuscated macro code inside document.

The macros are split into couple of modules and they are only run when “Document_Close()” function executes.

Anti-sandbox Techniques Employed by the Attack Macro

The malicious Word document will not run in a virtual environment. The macros within the malicious Word document use several anti-sandbox techniques to bypass certain sandbox environments as shown in Figure 3.

Figure3_dridex_anti

Figure 3: Anti-sandbox techniques to bypass sandboxes

The following are some of the anti-sandbox highlights:

  1. The macros only run their code when the document is closed. This is used to bypass weaker sandbox environments, which only monitor activities for a period of time rather than opening and later closing the document as a real user would.
  2. The macros check for user name against “PSPUBWS” that is being used to identify the hybrid-analysis.com sandbox as shown in Figure 4.
Figure4_dridex_hybriduser

Figure 4: User name “PSPUBWS” used in Hybrid analysis sandbox

  1. Lastly, the macros check for recent files count. If the count is less than 3, it will terminate without downloading its main payload. Since many sandboxes operate in a clean initial configuration with no regularly activity, this would cause the threat to exit on the sandbox.

Figure 5 shows how the clean code looks like when all of the obfuscated strings have been decoded to its human readable version.

Figure5_dridex_cleancode

Figure 5: Clean code after decoding all the strings in the macros.

Once the Word macro passes the anti-sandbox checks, confirming it is executing on a real victim endpoint, it will query victim’s IP address details using “https://wtfismyip.com/” as shown in Figure 6.

Figure6_dridex_checkip

Figure 6: Query victim’s IP address details.

The macro then compares all the data returned in the above result against a block list of strings. The block list of strings includes several security vendors, common cloud terms, and the country name “United States” as shown in Figure 7.

Figure7_dridex_string

Figure 7: Block list of strings which includes several security vendors.

If a match is found, the macro will exit without downloading its main payload which also means it will terminate if the victim’s country is the United States. If none of them match, the macro will download its main payload, the URSNIF data-stealing malware, from another server using PowerShell as shown in Figure 8. The fact that PowerShell is invoked with “-ExecutionPolicy Bypass” makes it run without a warning.

Figure8_dridex_powershell

Figure 8: Malicious Word Document Macro using PowerShell to execute its main payload.

Analysis of URSNIF Data Theft Operation

The main payload unpacks its custom packed code, copies itself into %APPDATA%/Auxiap32/aeevuser.exe with a name and icon of FileZilla FTP client as shown in Figure 9.

Figure9_ursnif_ftpicon

Figure 9: Payload drops its own copy with FileZilla FTP Client icon and description

The unpacked code injects its malicious code into the “explorer.exe” process using well known “ZwCreateSection”, “ZwMapViewOfSection()” and “ZwUnmapViewOfSection()” API methods as shown in Figure 10.

Figure10_ursnif_mapsections

Figure 10: Payload injecting its malicious code into explorer.exe using well known API methods.

URSNIF also hooks various executable files in order to monitor browsers. It hooks NSS3.DLL and NSPR4.DLL to monitor Mozilla Firefox; WS2_32.DLL, CHROME.DLL to monitor Google Chrome; and WININET.DLL to monitor Internet Explorer. The URSNIF uses custom encoded HTTP GET or POST requests over SSL to communicate with its Command and Control (C&C) server in order to accept further commands as shown in Figure 11.

Figure11_ursnif_ssl_post

Figure 11: URSNIF custom encoded HTTP POST communication to its C&C server over SSL.

The URL path of the request is encoded before sending it over the network. The URSNIF first prepares information to be sent to its C&C server about infection in the URL path as shown in Figure 12.

Figure12_ursnif_url_data

Figure 12: URL path containing user’s information before the use of the encoding algorithm.

URSNIF then encodes this URL path using custom algorithm, prepends the string “/images/” and the C&C domain name to the encoded URL path and appends “.gif” extension to the final URL as shown in Figure 13.

Figure13_ursnif_url_encode

Figure 13: URSNIF final encoded URL preparation process.

Further, URSNIF starts uploading the victim’s sensitive data to its C&C server as a file which is a randomly generated .bin file under %TEMP% folder as shown in Figure 14.

Figure14_ursnif_upload

Figure 14: URSNIF uploads user’s data using randomly generated .bin file

Data Exfiltration Content

URSNIF captures a user’s data such as recent browsing history and recent opened folder paths and stores it in randomly created .bin files in the user’s %TEMP% folder as shown in Figure 15.

Figure15_ursnif_bin

Figure 15: URSNIF stores captured information in ZIP file with .bin extensions under TEMP folder

Analysis showed that the file name “E8E4.bin” uploaded to URSNIF C&C server is in fact a ZIP file containing a set of random plain text files as shown in Figure 16. These files contain information such as recently browsed domains along with the browser process name in plain text.

Figure16_ursnif_urls

Figure 16: Data exfiltrated by URSNIF

All of the URL information captured by URSNIF as shown in Figure 16 are random fake URLs we used for testing URSNIF traffic. Other strings present in the memory suggest URSNIF can potentially steal sensitive information such as usernames and passwords of SMTP/POP3/IMAP, OUTLOOK, Windows Mail accounts etc. as shown in Figure 17.

Figure17__ursnif_smtppop

Figure 17: Potential data that can be stolen by URSNIF malware

We have observed that attackers are continuously finding new ways to lure victims into enabling hidden macros inside document files. Attackers are also coming up with new anti-sandbox tricks to bypass automated sandbox analysis. The use of hidden macros inside document files along with the use of  PowerShell makes this attack much easier to execute and very effective. Also, the use of custom encoded URLs over HTTPS/SSL communication makes it much more difficult for traditional network security devices to detect such malicious network traffic.

Indicators of Compromise (IOCs)

Malicious word document file hashes (MD5)

d92f138fdc7217ef4793c6373ed16b8a

492ea0e9d246e0af878a0ea215e15744

B40cffd21b6c2297dc8552c44f04fccd

URSNIF malware binary file hash (MD5)

51f303a577b47bc12fe019190dac1383

C&C servers and other interesting domains/IP

aagheresherecliallow.me

Usallowalclientallow.me

z1.zedo.com/robots.txt

91.213.126.113

URL patterns

/images/QOz6k6pnqHAEhlWvRV3/CLxaNf38SFReZrruRP8JIO/J_2FDssnLdOTb/RseMEoo_/2BTanNzhKhkiTo9VrsuFgzl/Vd6xdh3QM8/wrhVUaQ5cuL21WX5b/yGwMgfx7N0Mo/TD8C_2B65Qx/AjO_2FbKEwb4_2/F_2BeR_2FNQnaVdcO9fw9/0tcdR5gf/BnsJqHQ.bmp

/images/bhdnlmT9XBki/eeBkXFpZ2_2/BIUevLJSK1DH7F/oSfXQ7Rux_2B0Bf4nlrOV/fBU1n53oTQ_2F0LF/gMbnUzQAawsRTmv/EgAQkDR8juRnvtyXFm/ZF_2Beno_/2BciFFJ6KvHQUXLL1F6G/FA_2B1HNF_2BMiTdsyu/zRxlZuVM/Z.gif

(Note the use of ‘/images/’ and the extensions ‘.gif’ and ‘.bmp’)