In July 2017, security researchers have spotted a new version of the proficient Ursnif banking trojan that comes with a clever trick to avoid sandbox environments and automated virtual machines by using mouse movements to detect if a real user is interacting with the computer.
The general idea is to detect if the mouse cursor’s position moves, something that does not happen in security testing and malware analysis environments, where the mouse cursor remains in the same position during the entire scanning and analysis operations.
Ursnif has a history of clever tricks
We’re used to these clever tricks from Ursnif. This banking trojan has been a breeding ground for new malware techniques.
For example, in the summer of 2016, Ursnif was one of the first banking trojans and malware families to consistently use the Tor network to hide its command and control (C&C) servers.
During the same summer, we’ve also seen Ursnif test and deploy other innovative anti-detection and VM-evasion techniques.
Checking file names – Files submitted to analysis are usually renamed to their MD5 or SHA256 hash, using only hexadecimal characters (0123456789ABCDEFabcdef). If Ursnif found local files containing alphanumeric characters such as “t,” “R,” or “#,” then it knew it was running on a regular PC.
Checking local PC for apps with graphical interfaces – VMs run a small number of processes and especially very few processes with a graphical interface. If the Ursnif sample found less than 50 processes, it stopped execution, thinking it was inside a virtual machine (VM).
Check the user’s IP address – Ursnif would get the computer’s IP address and compare it to a list of IPs assigned to security companies or data centers (where researchers rent their VMs).
Check for recently opened files – Ursnif would check the number of recently opened files. Usually on VMs, this number is small, as there is no user utilizing the system for regular tasks.
These are only some of the few tricks Ursniff deployed in the past year. Its most recent campaign, the one that used the mouse movement detection technique started in April this year.
Victims would receive a spam email carrying a password protected ZIP file. Users who decompressed the file would see three Word documents.
Ursnif deployed via three nested DLL files
According to Forcepoint, the company that analyzed this most recent campaign in a report here, the documents contained the same malicious macro script. Crooks used three documents to improve their chances of users opening at least one and getting infected.
Allowing the macro to run would download a DLL file, which decompressed into another DLL file, and then into a third that would install the banking trojan.
The mouse movement motions weren’t used only for detecting the presence of a real operator or a virtual machine, but they were also used to brute-force an encryption key stored in the second DLL, and used to obtain the third DLL. All in all, the usual clever techniques that we’ve become accustomed from the Ursnif gang.
Ursnif went after Thunderbird data, not banking credentials
The most unusual part was that this version of the Ursnif trojan focused on extracting contacts and passwords from the Mozilla Thunderbird email client, rather than focusing on stealing credentials for specific banks.
“The rationale behind the Thunderbird-related functionality in this sample is unclear,” said Forcepoint researcher Yogi Gao. “This may be a first attempt at such activity, potentially meaning that more email clients or applications will be included in future releases.”