Netskope named a Leader in the 2022 Gartner® Magic Quadrant™ for Security Service Edge. Get the Report.

  • Plataforma

    Visibilidade incomparável e proteção de dados e contra ameaças em tempo real na maior nuvem privada de segurança do mundo.

  • Produtos

    Os produtos Netskope são construídos na Netskope Security Cloud.

A Netskope oferece uma pilha de segurança na nuvem moderna, com capacidade unificada para proteção de dados e ameaças, além de acesso privado seguro.

Explore a nossa plataforma

Netskope é nomeada Líder no Relatório do Quadrante Mágico™ do Gartner de 2022 para SSE

Obtenha o Relatório

Mude para serviços de segurança na nuvem líderes de mercado com latência mínima e alta confiabilidade.

Saiba mais

Previna ameaças que muitas vezes contornam outras soluções de segurança usando uma estrutura SSE de passagem única.

Saiba mais

Soluções de zero trust para a implementação de SSE e SASE

Saiba mais

A Netskope permite uma jornada segura, inteligente e rápida para a adoção de serviços em nuvem, aplicações e infraestrutura de nuvem pública.

Saiba mais
  • Customer Success

    Proteja a sua jornada de transformação digital e aproveite ao máximo as suas aplicações na nuvem, na web e privadas.

  • Atendimento ao cliente

    Suporte proativo e o compromisso em otimizar seu ambiente da Netskope e acelerar seu sucesso.

Confie na Netskope para ajudar você a enfrentar ameaças emergentes, novos riscos, mudanças tecnológicas, mudanças organizacionais e de rede, e novos requisitos regulatórios.

Saiba mais

Contamos com engenheiros qualificados no mundo todo, com experiências variadas em segurança na nuvem, redes, virtualização, entrega de conteúdo e desenvolvimento de software, prontos para prestar assistência técnica oportuna e de alta qualidade.

Saiba mais
  • Recursos

    Saiba mais sobre como a Netskope pode ajudá-lo a proteger sua jornada para a nuvem.

  • Blog

    Saiba como a Netskope viabiliza a segurança e a transformação de redes através do security service edge (SSE).

  • Eventos e workshops

    Esteja atualizado sobre as últimas tendências de segurança e conecte-se com seus pares.

  • Security Defined

    Tudo o que você precisa saber em nossa enciclopédia de segurança cibernética.

Podcast Security Visionaries

Episódio bônus: a importância do Security Service Edge (SSE)

Reproduzir o podcast

Leia as últimas novidades sobre como a Netskope pode viabilizar a jornada Zero Trust e SASE por meio dos recursos do security service edge (SSE).

Leia o Blog

Netskope na RSA 2022

Conheça e converse com especialistas em segurança da Netskope na RSA.

Saiba mais

O que é o Security Service Edge?

Explore o lado de segurança de SASE, o futuro da rede e proteção na nuvem.

Saiba mais
  • Empresa

    Ajudamos você a antecipar os desafios da nuvem, dos dados e da segurança da rede.

  • Por que Netskope

    A transformação da nuvem e o trabalho em qualquer lugar mudaram a forma como a segurança precisa funcionar.

  • Liderança

    Nossa equipe de liderança está fortemente comprometida em fazer tudo o que for preciso para tornar nossos clientes bem-sucedidos.

  • Parceiros

    Fazemos parceria com líderes de segurança para ajudá-lo a proteger sua jornada para a nuvem.

A Netskope possibilita o futuro do trabalho.

Saiba mais

A Netskope está redefinindo a nuvem, os dados e a segurança da rede para ajudar as organizações a aplicar os princípios de Zero Trust para proteger os dados.

Saiba mais

Pensadores, construtores, sonhadores, inovadores. Juntos, fornecemos soluções de segurança na nuvem de última geração para ajudar nossos clientes a proteger seus dados e seu pessoal.

Meet our team

A estratégia de comercialização da Netskope, focada em Parcerias, permite que nossos Parceiros maximizem seu crescimento e lucratividade enquanto transformam a segurança corporativa.

Saiba mais
Blog Threat Labs URSNIF Data Theft Malware Shared on Microsoft OneDrive
Aug 02 2016

URSNIF Data Theft Malware Shared on Microsoft OneDrive

Netskope Threat Research Labs has observed the URSNIF data theft malware being shared among Microsoft OneDrive users. The malware was observed propagating via a malicious Microsoft Word macro which tricks the end user into opening the file and, if macros are disabled, enabling them. The Word macro is heavily obfuscated, making it difficult for traditional antivirus products to detect it. Additionally, a collection of anti-sandbox techniques are employed in attempt to subvert sandboxes and other run-time detection techniques.

Netskope Active Threat Protection detects the malicious Word file as “W97M.Downloadr.DVS” and the resulting URSNIF data theft malware as “Backdoor.Generckd.3415082”.

Analysis of Malicious Word Document

While analyzing this malicious Word document, we found a fake error trick used to lure the victim as well as several anti-sandbox techniques used to bypass automated sandboxes. Once the document file is opened, a very clever but illegitimate error message is shown to fool the victim. The error message looks like a genuine Word error as shown in Figure 1.

Figure1_dridex_doc

Figure 1: Word document with fake error message.

The error message shown in above Figure 1 lures the victim into enabling macros to correct the error encountered with this fake message. The document contains malicious macro code and we can see the code using VBA editor (use ALT + F11). The obfuscated macro code is shown in Figure 2.

Figure2_dridex_vba_code

Figure 2: Obfuscated macro code inside document.

The macros are split into couple of modules and they are only run when “Document_Close()” function executes.

Anti-sandbox Techniques Employed by the Attack Macro

The malicious Word document will not run in a virtual environment. The macros within the malicious Word document use several anti-sandbox techniques to bypass certain sandbox environments as shown in Figure 3.

Figure3_dridex_anti

Figure 3: Anti-sandbox techniques to bypass sandboxes

The following are some of the anti-sandbox highlights:

  1. The macros only run their code when the document is closed. This is used to bypass weaker sandbox environments, which only monitor activities for a period of time rather than opening and later closing the document as a real user would.
  2. The macros check for user name against “PSPUBWS” that is being used to identify the hybrid-analysis.com sandbox as shown in Figure 4.
Figure4_dridex_hybriduser

Figure 4: User name “PSPUBWS” used in Hybrid analysis sandbox

  1. Lastly, the macros check for recent files count. If the count is less than 3, it will terminate without downloading its main payload. Since many sandboxes operate in a clean initial configuration with no regularly activity, this would cause the threat to exit on the sandbox.

Figure 5 shows how the clean code looks like when all of the obfuscated strings have been decoded to its human readable version.

Figure5_dridex_cleancode

Figure 5: Clean code after decoding all the strings in the macros.

Once the Word macro passes the anti-sandbox checks, confirming it is executing on a real victim endpoint, it will query victim’s IP address details using “https://wtfismyip.com/” as shown in Figure 6.

Figure6_dridex_checkip

Figure 6: Query victim’s IP address details.

The macro then compares all the data returned in the above result against a block list of strings. The block list of strings includes several security vendors, common cloud terms, and the country name “United States” as shown in Figure 7.

Figure7_dridex_string

Figure 7: Block list of strings which includes several security vendors.

If a match is found, the macro will exit without downloading its main payload which also means it will terminate if the victim’s country is the United States. If none of them match, the macro will download its main payload, the URSNIF data-stealing malware, from another server using PowerShell as shown in Figure 8. The fact that PowerShell is invoked with “-ExecutionPolicy Bypass” makes it run without a warning.

Figure8_dridex_powershell

Figure 8: Malicious Word Document Macro using PowerShell to execute its main payload.

Analysis of URSNIF Data Theft Operation

The main payload unpacks its custom packed code, copies itself into %APPDATA%/Auxiap32/aeevuser.exe with a name and icon of FileZilla FTP client as shown in Figure 9.

Figure9_ursnif_ftpicon

Figure 9: Payload drops its own copy with FileZilla FTP Client icon and description

The unpacked code injects its malicious code into the “explorer.exe” process using well known “ZwCreateSection”, “ZwMapViewOfSection()” and “ZwUnmapViewOfSection()” API methods as shown in Figure 10.

Figure10_ursnif_mapsections

Figure 10: Payload injecting its malicious code into explorer.exe using well known API methods.

URSNIF also hooks various executable files in order to monitor browsers. It hooks NSS3.DLL and NSPR4.DLL to monitor Mozilla Firefox; WS2_32.DLL, CHROME.DLL to monitor Google Chrome; and WININET.DLL to monitor Internet Explorer. The URSNIF uses custom encoded HTTP GET or POST requests over SSL to communicate with its Command and Control (C&C) server in order to accept further commands as shown in Figure 11.

Figure11_ursnif_ssl_post

Figure 11: URSNIF custom encoded HTTP POST communication to its C&C server over SSL.

The URL path of the request is encoded before sending it over the network. The URSNIF first prepares information to be sent to its C&C server about infection in the URL path as shown in Figure 12.

Figure12_ursnif_url_data

Figure 12: URL path containing user’s information before the use of the encoding algorithm.

URSNIF then encodes this URL path using custom algorithm, prepends the string “/images/” and the C&C domain name to the encoded URL path and appends “.gif” extension to the final URL as shown in Figure 13.

Figure13_ursnif_url_encode

Figure 13: URSNIF final encoded URL preparation process.

Further, URSNIF starts uploading the victim’s sensitive data to its C&C server as a file which is a randomly generated .bin file under %TEMP% folder as shown in Figure 14.

Figure14_ursnif_upload

Figure 14: URSNIF uploads user’s data using randomly generated .bin file

Data Exfiltration Content

URSNIF captures a user’s data such as recent browsing history and recent opened folder paths and stores it in randomly created .bin files in the user’s %TEMP% folder as shown in Figure 15.

Figure15_ursnif_bin

Figure 15: URSNIF stores captured information in ZIP file with .bin extensions under TEMP folder

Analysis showed that the file name “E8E4.bin” uploaded to URSNIF C&C server is in fact a ZIP file containing a set of random plain text files as shown in Figure 16. These files contain information such as recently browsed domains along with the browser process name in plain text.

Figure16_ursnif_urls

Figure 16: Data exfiltrated by URSNIF

All of the URL information captured by URSNIF as shown in Figure 16 are random fake URLs we used for testing URSNIF traffic. Other strings present in the memory suggest URSNIF can potentially steal sensitive information such as usernames and passwords of SMTP/POP3/IMAP, OUTLOOK, Windows Mail accounts etc. as shown in Figure 17.

Figure17__ursnif_smtppop

Figure 17: Potential data that can be stolen by URSNIF malware

We have observed that attackers are continuously finding new ways to lure victims into enabling hidden macros inside document files. Attackers are also coming up with new anti-sandbox tricks to bypass automated sandbox analysis. The use of hidden macros inside document files along with the use of  PowerShell makes this attack much easier to execute and very effective. Also, the use of custom encoded URLs over HTTPS/SSL communication makes it much more difficult for traditional network security devices to detect such malicious network traffic.

Indicators of Compromise (IOCs)

Malicious word document file hashes (MD5)

d92f138fdc7217ef4793c6373ed16b8a

492ea0e9d246e0af878a0ea215e15744

B40cffd21b6c2297dc8552c44f04fccd

URSNIF malware binary file hash (MD5)

51f303a577b47bc12fe019190dac1383

C&C servers and other interesting domains/IP

aagheresherecliallow.me

Usallowalclientallow.me

z1.zedo.com/robots.txt

91.213.126.113

URL patterns

/images/QOz6k6pnqHAEhlWvRV3/CLxaNf38SFReZrruRP8JIO/J_2FDssnLdOTb/RseMEoo_/2BTanNzhKhkiTo9VrsuFgzl/Vd6xdh3QM8/wrhVUaQ5cuL21WX5b/yGwMgfx7N0Mo/TD8C_2B65Qx/AjO_2FbKEwb4_2/F_2BeR_2FNQnaVdcO9fw9/0tcdR5gf/BnsJqHQ.bmp

/images/bhdnlmT9XBki/eeBkXFpZ2_2/BIUevLJSK1DH7F/oSfXQ7Rux_2B0Bf4nlrOV/fBU1n53oTQ_2F0LF/gMbnUzQAawsRTmv/EgAQkDR8juRnvtyXFm/ZF_2Beno_/2BciFFJ6KvHQUXLL1F6G/FA_2B1HNF_2BMiTdsyu/zRxlZuVM/Z.gif

(Note the use of ‘/images/’ and the extensions ‘.gif’ and ‘.bmp’)