We noticed that there has been a spike in infections related to the malware URSNIF. The URSNIF family is known to steal information such as passwords. Spyware are always considered high risk, but these URSNIF variants can cause damage beyond info-stealing. These URSNIF variants are file-infectors—which is the cause of the noted spike in detection counts.
Infection Data
Based on feedback from the Smart Protection Network, the countries most affected are the United States and the United Kingdom. These two countries comprise nearly 75% of all the infections related to these URSNIF variants. Canada and Turkey are the next countries most affected.
Figure 1. Countries affected by URSNIF spike, based on data gathered for December 2014 so far
Additional feedback shows that education, financial, and manufacturing were among the industries affected by this spike.
URSNIF, the File Infector
Normal PE infectors use the host file to execute its code or execute its code before executing the host’s file code. It patches the host files by inserting malicious code through techniques like cavity, appending, pre-pending viruses, or entry point obfuscation. However, this URSNIF variant, detected as PE_URSNIF.A-O, seems to insert the host file into its resource section.
Figure 3. Embedded .PDF file in URSNIF’s resource section
It infects .PDF, .EXE, and .MSI files found in all removable drives and network drives. URSNIF packs the found files and embeds them to its resource section. When these infected files are executed, they will drop the original file in %User Temp% (~{random}.tmp.pdf, ~{random}.tmp.exe) and then execute it to trick the user that the opened file is still fine.
Figure 3. Visual representation of infection chains for .PDF, .EXE, and .MSI files
After deleting the original .PDF file, it will create an .EXE file using the file name of the original .PDF file. As for .MSI and .EXE files, it will insert its code to the current executable. It will only infect .EXE files with “setup” on its filename.
Figure 3. Difference between an infected (top) and clean (bottom) .PDF file. The infected file is 3.18 MB while the clean file is 2.89 MB.
For MSI files, they will execute the original file first before executing the malware code. For .PDF and .EXE files, they will produce a dropper-like Trojan, which will drop and execute the original file and the main file infector.
Expansion of Routines
The malware family URSNIF is more known as a spyware. Variants can monitor network traffic by hooking network APIs related to top browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox. It is also known for gathering information. However, the fact that a family known for spyware now includes file infectors shows that cybercriminals are not above tweaking established malware to expand its routines.
The expansion into file infection can also be seen as a strategic one. A different file infector type (e.g., appending) requires a different detection for security solutions; not all solution may have this detection. Another notable feature for this particular malware is that it starts its infection routine 30 minutes after its execution. This could be viewed as an anti-sandboxing technique as most sandbox tools monitor malware for about two to five minutes only.
Countermeasures
Users should then be vigilant about protecting their devices against threats, including URSNIF. Paying attention to the little details can actually help, as we can see in the comparison of the .PDF files above.
As this variant can spread via removable drives and network shares, users must also exercise additional safety measures. Users should never plug removable drives into unknown computers or computers that aren’t protected by some form of security solution. IT admins should also properly configure network shares. For example, computers shouldn’t be given blanket access within the network. Network access can also be configured to read only, not read-write.
Users should also rely on security solutions that are able to keep up with the ever dynamic threat landscape. URSNIF variants often arrive via spammed messages and Trojan dropper/downloader malware. Users need a comprehensive security solution that goes beyond detecting and blocking malware. Features like email reputation services which can detect and block spam and other email-related threats can greatly boost a computer’s security.
Trend Micro detects infected .PDF and .EXE files as PE_URSNIF.A2. Infected .MSI files are detected as PE_URSNIF.A1.
Hash of the related file:
- dd7d3b9ea965af9be6995e823ed863be5f3660e5
- 44B7A1555D6EF109555CCE88F2A954CAFE56B0B4
- EFC5C6DCDFC189742A08B25D8842074C16D44951
- FD3EB9A01B209572F903981675F9CF9402181CA1
