So, today let's talk about ursnif and its recents evolutions. I saw
yesterday evening this blogpost riddled with errors
(rovnix and ursnif are two different malwares), so here is my take on this. The
first sample I found that sparkled my interest is dated from
24/04/2014, but I wouldn't be surprised to see older samples
with these characteristics as well. As you can see the
kernelmode post I made with the sample config, "ISFB" is the internal
ursnif (not rovnix !) name , and it was mainly the 2.2 version distributed at
the time. I'd like to thank @kafeine
for providing me with a lot of the samples
analyzed in this post.
So, back to this 24/04/2014 sample. I was intrigued to see that there was
now a string decryption function
present in the binary. The function is quite simple. First we search for the
.bss section which contains the encrypted strings. Then a XOR key is generated
with the embedded date and the VirtualAddress + RawSize of
the bss section. Here is what this function looks like with Hex-Rays :
The dll unpacking is almost the same (aplib). The only noticeable change is
that the structure id is now "J1" instead of "FJ" in the PE Header (See picture
below). One last big change is the injection of the Ursnif dll component in
explorer, it was before dropped into %system32%. This injection is kinda crappy
imo, the malware kills explorer and then spawn a new instance to inject itself
into, not really that stealthy.
Onto the dll now. We got an url in the binary, maybe a C&C one
(subjenec.tk). We got onto the embedded configuration now, and as you
can see it is quite different. As the C&C was dead when I came upon this
sample, I can't provide anymore details on this.
600 -> ConfigTimeout
4320 -> ?
220.127.116.11/2.php <- encrypted data file
2022 -> Group
Next sample I got is from the 29/04/2014 and it has some
interesting differences. We have some new strings which indicates the
introduction of some anti-vm checks. The DLLs files are now stored as resources
in the dropper with the names 'C132' and 'C164'. A PRNG has also been
added. This PRNG is from the rovnix source code and is used to generate unique
GUID (As seen in
00401785 PUSH ursnif2_.0040519C ASCII "ISFB REG FILE"
00401792 PUSH ursnif2_.004051AC ASCII "ISFB REG KEY"
00401A7D PUSH ursnif2_.004051CC ASCII "HARDWARE\ACPI\DSDT\PTLTD_"
00401AB0 PUSH ursnif2_.004051E8 ASCII "HARDWARE\ACPI\DSDT\VBOX__"
00401AC7 PUSH ursnif2_.00405204 ASCII "HARDWARE\ACPI\DSDT\AMIBI"
Let's talk about the dll module. Concerning the DGA / cab compression /
C&C communication, the post does a good job analyzing it. I'll just add
that the DGA tld are not always the same between the few variants I have seen
using it. In this campaign, the tld used are : .eu / .cn / .biz / .net / .com.
The C&C address is termsrightfrthem.biz, now dead.
000000011C54 000010013654 0 c:\prj\ISFB\release(unpacked)\client.pdb <- pdb path found in the client.dll module
.bss0:00407000 0000004B C version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x&wdata=%04u%02u%02u
.bss0:0040704B 00000041 C version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
.bss0:0040708C 0000003D C version=%u&user=%s&server=%u&id=%u&crc=%x&wdata=%04u%02u%02u
.bss0:004070C9 00000033 C version=%u&user=%s&server=%u&id=%u&type=%u&name=%s
Next sample I got has a timestamp dating it from the
10/06/2014, but no strings encryption this time. This is the
sample 2 from the campaign 1 in the blog post, same variant as the previously
described one. C&C I got with these :
Moving onto the next sample now, the first I got with Rovnix bootkit
integration. It is interesting to note that Rovnix and Ursnif have been closely
related in the past, sharing the exact same component unpacking code ("FJ"
bytes in the structures in the PE Header to retrieve the aplib packed
components), and the C&C infrastructure was the same (same panels). With
the integration of the rovnix bootkit into ursnif the code of these two
malwares is even more blended into ursnif. This sample has a timestamp dating
it from the 20/06/2014. After unpacking the sample we can see
that two new modules have been added into the dropper. These two new components
are the Rovnix ring0 & MBR modules. The Rovnix bootkit install code is the
same as the leaked
RC6 Key : F223456789ABCDEF
Additionnal config in the dll :
Next bootkit sample I got is timestamped from the 01/08/2014. Interestingly
enough, this time the C&C communication protocol is the cab one.
C&C urls :
This C&C was active until this week, and it reached ~70k bots in 3
months. Not bad for a Ursnif imo (sorry, no screenshots, I always forget). The
panel wasn't that interesting anyway.
Intriguing thing, a few variants seems to be distributed at the same time in
the wild. In a sample with a timestamp dating it from the
28/06/2014, we have no bootkit but instead the DGA variant.
TLD used in this one are .tk / .ru / .biz. / .com / .net. The C&C address
was regisforbelowactu.net and the RC6 key is
0123456789ABCE21. The decrypted configuration 10 60 10 60 30
gives us nothing interesting. The same campaign with a
03/08/2014 timestamp has a slightly different config : 60
60 60 60 30 1004. The 13/08/2014 timestamped version gives us two more
C&C urls : withouttheterms.com and ebibobrov3945.net. On
the 18/08/2014 the RC6 key was changed to
THe04ihgUaSZlMnP. Config was : 60 60 60 60 30 1000, and TLD
were : .com / .net / .biz / .ru. On the 04/09/2014 I observed
another big change in the C&C panel : they are now named IAP (see the
picture below) and looks like a totally revamped version of the old panel. If
you want to see the internals of a panel you can refer to the CSIS blogpost.
Let's see the config for this sample :
ourdeclendeavored.ru salapowersalonenature.ru circumestablished.su murdersknown.biz hisandsuchprov.ru assumeoppothgoverfaprote.biz assumeoppothgoverfaprote.info
300 60 300 300 300 10 4004
I got only one sample in july with a 23/07/2014 timestamp.
This is very similar to the DGA variant with a few differences on the C&C /
command parsing part (the main difference in fact is the disappearance of the
DGA). This sample copies itself into %system32% and still injects its dll into
explorer. RC6 Key for this variant: 5C3F6970EE00A01D, config :
10800 5400 300 600 300 60 1000. Let's see an example of a request to
the C&C :
On the few samples I have seen of this variant, the paths have always been
the same :
On the 10/09/2014 version :
I think I have covered almost all the important evolutions in ursnif from
april to september. On the samples I got in september, there is nothing
changing except the configs / c&c urls which are still being updated. It's
time to draw some conclusions about this now. I think there are three actively
distributed ursnif variants in the wild.
- The first one, with the RC6 key F223456789ABCDEF is the blended ursnif with
rovnix. The first trace of this variant I found go back to april and it is
- The second one is the DGA based variant.The RC6 keys seems to change quite
often, and this is the variant described in the CSIS post. They are operating
the IAP C&C.
- The third one (and I'm not 100% sure about this one) is the .su C&C
based variant. Least frequent one.
I hope this post has shed some light on the state of the ursnif threat and
its recent evolution.
Edit 05/12/2014 :
Further proof that multiple versions of Ursnif are distributed itw :
Debug string inside a Ursnif binary with timestamp 16/07/2014:
ISFB_0d10: ISFB client DLL version 3.5, client ID: 1000
Debug string inside a Ursnif binary with timestamp 01/12/2014
ISFB_0a10: ISFB client DLL version 2.12, build 398, group 1000