Info-Stealing File Infector Hits US, UK

We noticed that there has been a spike in infections related to the malware URSNIF. The URSNIF family is known to steal information such as passwords. Spyware are always considered high risk, but these URSNIF variants can cause damage beyond info-stealing. These URSNIF variants are file-infectors—which is the cause of the noted spike.

Infection Data

Based on feedback from the Smart Protection Network, the countries most affected by the spike are the United States and the United Kingdom. These two countries comprise nearly 75% of all the infections related to these URSNIF variants. Canada and Turkey are the next countries most affected by malware.

Figure 1. Countries affected by URSNIF spike, based on data gathered for December 2014 so far

Additional feedback shows that education, financial, and manufacturing were among the industries affected by this spike.

URSNIF, the File Infector

Normal PE infectors use the host file to execute its code or execute its code before executing the host’s file code. It patches the host files by inserting malicious code through techniques like cavity, appending, pre-pending viruses, or entry point obfuscation. However, this URSNIF variant, detected as PE_URSNIF.A-O, seems to insert the host file into its resource section.

Figure 3. Embedded .PDF file in URSNIF’s resource section

It infects all .PDF, .EXE, and .MSI files found in all removable drives and network drives. URSNIF packs the found files and embeds them to its resource section. When these infected files were executed, it will drop the original file in %User Temp% (~{random}.tmp.pdf, ~{random}.tmp.exe) and then execute it to trick user that the opened file is still fine.

Figure 3. Visual representation of infection chains for .PDF, .EXE, and .MSI files

After deleting the original .PDF file, it will create an .EXE file using the file name of the original .PDF file. As for .MSI and .EXE files, it will insert its code to the current executable. It will only infect .EXE files with “setup” on its filename.

Figure 3. Difference between an infected (top) and clean (bottom) .PDF file. The infected file is 3.18 MB while the clean file is 2.89 MB.

For MSI files, it will execute the original file first before executing the malware code. For .PDF and .EXE files, it will produce a dropper-like Trojan, which will drop and execute the original file and the main file infector.

Expansion of Routines

The malware family URSNIF is more known as spyware. Variants can monitor network traffic by hooking network APIs related to top browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox. It is also known for gathering information. However, the fact that a family known for spyware now includes file infectors shows that cybercriminals are not above tweaking established malware to expand its routines.

The expansion into file infection can also be seen as a strategic one. A different file infector type (e.g., appending) requires a different detection for security solutions; not all solution may have this detection. Another notable feature for this particular malware is that it starts its infection routine 30 minutes after its execution. This could be viewed as an anti-sandboxing technique as most sandbox tools monitor malware for about two to five minutes only.

Countermeasures

Users should then be vigilant about protecting their devices against threats, including URSNIF. Paying attention to the little details can actually help, as we can see in the comparison of the .PDF files above.

As this variant can spread via removable drives and network shares, users must also exercise additional safety measures. Users should never plug removable drives into unknown computers or computers that aren’t protected by some form of security solution. IT admins should also properly configure network shares. For example, computers shouldn’t be given blanket access within the network. Network access can also be configured to read only, not read-write.

Users should also rely on security solutions that are able to keep up with the ever dynamic threat landscape. URSNIF variants often arrive via spammed messages and Trojan dropper/downloader malware. Users need a comprehensive security solution that goes beyond detecting and blocking malware. Features like email reputation services which can detect and block spam and other email-related threats can greatly boost a computer’s security.

Trend Micro detects infected .PDF and .EXE files as PE_URSNIF.A2. Infected .MSI files are detected as PE_URSNIF.A1.

Hash of the related file: