The resurgence of the Ursnif banking trojan
Earlier this month, Darktrace’s Cyber AI detected the Ursnif banking trojan, described as May’s most wanted malware, making a resurgence across its customers’ networks. This blog follows the malicious activity in one financial services company in the US, detailing how and why Darktrace Antigena stepped in and autonomously stopped the attack in real time.
Banking trojans continue to present a credible and persistent threat to organizations of all sizes across the globe. This attack was delivered via phishing email, which initiated a download of an executable file masquerading as a .cab extension.
This specific banking trojan is particularly sophisticated, with multiple new command and control (C2) domains registered – identifiable because several distinct Domain Generation Algorithms (DGA) were observed across different networks – the majority of which were only registered the day prior to the campaign.
Phishing email catches organizations unaware
The malware itself was delivered via phishing email. The attack was not recognized by antivirus solutions at the time of delivery, slipping through the organization’s perimeter solutions and landing in employees’ inboxes. Unknowingly, an employee opened a disguised attachment containing macros, downloading an executable file masquerading as a .cab extension.
Interestingly, the malware also used new User Agents imitating Zoom and Webex, a clear attempt to blend in with assumed network traffic. After the malware was downloaded, several devices were observed making connections using these Zoom or Webex User Agents to non-Zoom and non-Webex domains, another attempt to blend in.
After the downloads, Darktrace’s AI observed beaconing to rare DGA domains. The majority of these domains were Russian and registered within the previous 24 hours.
This attack managed to evade the rest of the organization’s security stack since the domains observed were recently registered and the majority of the file hashes and IoCs had not yet been flagged by OSINT tools, thus bypassing all signature-based detections. The initial file downloads also purported to be .cab files, but Darktrace’s AI identified that these were in fact executable files.
Multiple Darktrace detections, including the ‘Masqueraded File Transfer’ model and the ‘Initial Breach Chain Compromise’ model, alerted the security team to this activity. At the same time, the models triggered Darktrace’s Cyber AI Analyst to launch an automated investigation into the security incident, which surfaced additional vital information and dramatically reduced time to triage.
The case for Autonomous Response
The Ursnif banking trojan presents a particularly lethal threat: silent, stealthy, and capable of stealing vital financial information, email credentials, and other sensitive data at machine speeds. The rise of advanced malware like this demonstrates the need for security technology that can stay ahead of attackers. For this organization, the malware download and subsequent command and control activity could have represented the start of a costly attack.
Luckily the organization had Antigena Network installed in active mode. The C2 communications from infected devices were blocked seconds after the initial connection, preventing further C2 activity and the download of any additional malware. Using information surfaced by the Cyber AI Analyst, the security team could catch up and the threat was quickly contained.
This attack highlights the continuously evolving approaches used by malicious actors to evade detection. In the same week as the events explained above, Darktrace identified the Urnsnif malware in numerous other customers in the US and Italy, across multiple industries. Attackers are targeting businesses indiscriminately and are not slowing down.
Thanks to Darktrace analysts Grace Carballo and Hiromi Watanabe for their insights on the above threat find.
To learn how cyber-criminals are using AI to augment their attacks, download the White Paper: The Battle of the Algorithms
|tobmojiol2adf[.]com||C2 domain, registered July 9|
|qumogtromb2a[.]com||Not yet registered|
|amehota2gfgh[.]com||C2 domain, registered July 8|
|gofast22gfor[.]com||C2 domain, registered July 8|
|xquptbabzxhxw[.]com||Not yet registered|
|e9bja[.]com||Masqueraded file download source|
|9ygw2[.]com||Masqueraded file download source|
|n2f79[.]com||Masqueraded file download source|
|ioyyf[.]com||Masqueraded file download source|
|hq3ll[.]com||Masqueraded file download source|
Darktrace model breaches
- Anomalous File/Masqueraded File Transfer
- Compromise/ Sustained TCP Beaconing Activity to Rare Endpoint
- Compromise/ HTTP Beaconing to Rare Destination
- Compromise/ Slow Beaconing Activity to External rare
- Compromise/ Beaconing Activity to External Rare
- Device/ Initial Breach Chain Compromise