• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Info-Stealing File Infector Hits US, UK

Info-Stealing File Infector Hits US, UK

  • Posted on:December 11, 2014 at 5:15 pm
  • Posted in:Malware
  • Author:
    RonJay Caragay (Threat Response Engineer)
0

We noticed that there has been a spike in infections related to the malware URSNIF. The URSNIF family is known to steal information such as passwords. Spyware are always considered high risk, but these URSNIF variants can cause damage beyond info-stealing. These URSNIF variants are file-infectors—which is the cause of the noted spike in detection counts.

Infection Data

Based on feedback from the Smart Protection Network, the countries most affected are the United States and the United Kingdom. These two countries comprise nearly 75% of all the infections related to these URSNIF variants. Canada and Turkey are the next countries most affected.


Figure 1. Countries affected by URSNIF spike, based on data gathered for December 2014 so far

Additional feedback shows that education, financial, and manufacturing were among the industries affected by this spike.

URSNIF, the File Infector

Normal PE infectors use the host file to execute its code or execute its code before executing the host’s file code. It patches the host files by inserting malicious code through techniques like cavity, appending, pre-pending viruses, or entry point obfuscation. However, this URSNIF variant, detected as PE_URSNIF.A-O, seems to insert the host file into its resource section.


Figure 3. Embedded .PDF file in URSNIF’s resource section

It infects .PDF, .EXE, and .MSI files found in all removable drives and network drives. URSNIF packs the found files and embeds them to its resource section.  When these infected files are executed, they will drop the original file in %User Temp% (~{random}.tmp.pdf, ~{random}.tmp.exe) and then execute it to trick the user that the opened file is still fine.


Figure 3. Visual representation of infection chains for .PDF, .EXE, and .MSI files

After deleting the original .PDF file, it will create an .EXE file using the file name of the original .PDF file. As for .MSI and .EXE files, it will insert its code to the current executable. It will only infect .EXE files with “setup” on its filename.


Figure 3. Difference between an infected (top) and clean (bottom) .PDF file. The infected file is 3.18 MB while the clean file is 2.89 MB.

For MSI files, they will execute the original file first before executing the malware code. For .PDF and .EXE files, they will produce a dropper-like Trojan, which will drop and execute the original file and the main file infector.

Expansion of Routines

The malware family URSNIF is more known as a spyware. Variants can monitor network traffic by hooking network APIs related to top browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox. It is also known for gathering information. However, the fact that a family known for spyware now includes file infectors shows that cybercriminals are not above tweaking established malware to expand its routines.

The expansion into file infection can also be seen as a strategic one. A different file infector type (e.g., appending) requires a different detection for security solutions; not all solution may have this detection. Another notable feature for this particular malware is that it starts its infection routine 30 minutes after its execution. This could be viewed as an anti-sandboxing technique as most sandbox tools monitor malware for about two to five minutes only.

Countermeasures

Users should then be vigilant about protecting their devices against threats, including URSNIF. Paying attention to the little details can actually help, as we can see in the comparison of the .PDF files above.

As this variant can spread via removable drives and network shares, users must also exercise additional safety measures. Users should never plug removable drives into unknown computers or computers that aren’t protected by some form of security solution. IT admins should also properly configure network shares. For example, computers shouldn’t be given blanket access within the network. Network access can also be configured to read only, not read-write.

Users should also rely on security solutions that are able to keep up with the ever dynamic threat landscape. URSNIF variants often arrive via spammed messages and Trojan dropper/downloader malware. Users need a comprehensive security solution that goes beyond detecting and blocking malware. Features like email reputation services which can detect and block spam and other email-related threats can greatly boost a computer’s security.

Trend Micro detects infected .PDF and .EXE files as PE_URSNIF.A2. Infected .MSI files are detected as PE_URSNIF.A1.

Hash of the related file:

  • dd7d3b9ea965af9be6995e823ed863be5f3660e5
  • 44B7A1555D6EF109555CCE88F2A954CAFE56B0B4
  • EFC5C6DCDFC189742A08B25D8842074C16D44951
  • FD3EB9A01B209572F903981675F9CF9402181CA1
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: file infectorinformation stealerMalwarespywareURSNIF

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.