TrojanSpy:Win32/Ursnif.CU is a trojan that steals sensitive information from an affected machine.
Installation
When executed, TrojanSpy:Win32/Ursnif.CU copies itself to the following location:
%windir%\9129837.exe
It modifies the registry to execute this copy at each Windows start:
Adds value: "ttool"
With data: "%windir%\9129837.exe"
To subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The trojan then executes its copy. It drops the following batch file in the current directory:
abcdefg.bat
and runs it to delete the original executable.
When %windir%\9129837.exe is run, it drops and installs the driver "%windir%\new_drv.sys".
This component may detected as VirTool:WinNT/Ursnif and is used to provide stealth (see Payload section below for further detail).
Payload
Steals Sensitive Information
Win32/Ursnif uses several methods in order to compromise the integrity of an affected machine's data. It attempts to steal sensitive data both in transit and in storage, and targets the following:
-
Clear text passwords in transit
The trojan attempts to steal clear text passwords transmitted over the network. The trojan listens to all network traffic on every interface on a given machine, checking if it contains strings from common protocols that transmit passwords in clear text - for example FTP, POP3, IMAP and TELNET. If found the stolen data is posted to a remote location.
-
Protected Storage
The trojan attempts to steal passwords and credentials that are stored using protected storage.
-
Certificate Store
Ursnif attempts to steal Certificates and Private Keys from the Certificate store.
-
Running Processes
Ursnif variants may inject code into running processes that patches the following APIs to redirect to its own code:
CreateProcessA
CreateProcessW
InternetReadFile
HttpSendRequestA
HttpSendRequestW
InternetReadFileExA
InternetReadFileExW
InternetCloseHandle
InternetQueryDataAvailable
It does this to inspect and steal any relevant information passed to these APIs and to inject its own code into any newly created process. The stolen information is then posted to a remote site. TrojanSpy:Win32/Ursnif.CU injects code into all running processes, including the following, for example:
explorer.exe
msmsgs.exe
smss.exe
svchost.exe
wmiprvse.exe
Opens Socks Proxy
The trojan sets up a socks proxy on a random port. Proxy servers may be used by attackers in order to hide the origin of malicious activity. The port information is posted to a remote host.
Update Functionality
TrojanSpy:Win32/Ursnif.CU allows unauthorized access to an affected machine. The trojan connects to a remote host with version information. When passed a parameter in response to the version information sent, it removes any currently running versions of the trojan before installing an updated version of itself (should a newer version be available from the remote host).
Provides Stealth
TrojanSpy:Win32/Ursnif.CU drops a driver, %windir%\new_drv.sys, that is used to provide stealth to mask the files, registry entries and processes being used by the trojan. This component may be detected as VirTool:WinNT/Ursnif.
Stops Services
The trojan may stop the following services in an attempt to disable the firewall and other security-related services:
Additional Information
TrojanSpy:Win32/Ursnif.CU stores configuration data under the following registry entry:
HKCU\Software\Microsoft\InetData
Analysis by Ray Roberts