The stealth process injection of the new Ursnif malware
Whereas the malware LockPos, famous for its new incredibly advanced and sophisticated evasion
technique, spread and affected many Points of Sale, another variant spread in the wild and adopts
a similar but not identical advanced evasion trick. It is likely a new variant of
evolution of an old banking trojan that was spreading since November 2017. Moreover, the command
and control of this new malware, oretola[.]at has been sinkholed by authorities, so it is difficult to
reconstruct the entire behavior and the real purpose of this malware.
However, it is very interesting to analyze its stealth evasion technique that allows it to be invisible to
many modern antivirus software. In fact,
its final stage is to hide itself as a thread of “explorer.exe”
process and this make the analysis very difficult. To reach its goal, the malware uses a sort of
double process hollowing
based on Windows Native API, leveraging
system process as a way to make privilege escalation and to get to inject malicious code in
Only after the concealment in “explorer.exe” it starts to make its malicio
us operations that consist of
contacting a series of compromised sites the host encrypted additional payloads. The final step of
its malicious behavior is to periodically communicate with its C2C, “oretola[.]at”, where it sends
information about the victim host.
This malware probably spreads up through spam mails, the message contains an URL that points
to a compromised site on which the sample is hosted. We discovered the malware sample just on
one of these compromised sites, in particular it is an Italian blog dedicated to dolls
Figure 1 - List of some domains resolved by the malware
First of all, this malware uses almost exclusively the Native API of Windows with also its
undocumented functions. The use of them causes a more difficult monitoring by antiviruses.
Once the php3.exe file is executed, it deletes itself from the original path and recopy itself in
Once completed this operation, the malware starts its malicious behavior, summarizing in these
Create a new “svchost.exe” process in suspended mode
, using CreateProcessA.
Figure 2 - svchost.exe process creation
Figure 3 - Parameters of CreateProcessA
Create a new thread of “explorer.exe” process in suspended mode using OpenProcess with
PROCESS_CREATE_THREAD and PROCESS_SUSPEND_RESUME flags enabled.
Figure 4 - Creation of a new thread of explorer.exe process (PID 2672) in suspended mode
Create a new section in memory in which it is loaded the code to map in “svchost.exe”
Figure 5 - Section creation
At this moment, the section is empty and it will be filled in the next step
Copy the payload into the previous section using “memcpy” function
Figure 6 - Payload's copy in the section previously created through memcpy function
Map the filled section to “svchost.exe” process using the Windows Native API
Figure 7 - Mapping of the previously filled section to svchost.exe process through NtMapViewOfSection
Resume “svchost.exe” thread in order to act in the section previously allocated.
Figure 8 - svchost.exe resuming in order to execute the payload loaded into the section
After this step, we lose the control of the behavior, because
is a system process and
we are not able to monitor the activities performed by it. But we can see that
Both malicious “svchost.exe” and its father “ddraxpps.exe” terminate
“explorer.exe” process start to have a malicious behavior, in particular it gener
traffic to compromised websites.
Figure 9 - Abnormal traffic performed by explorer.exe process
we can deduce with a good confidence that the effective payload is injected in “explore
“svchost.exe” is only a proxy used to transfer the malicious code into the explorer process
in order to make stealthier the malware execution. In fact, it is highly likely
performs the same actions viewed above to reach its goal. It seems that the first stage of process
hollowing is used to perform a privilege escalation, starting from a user-space project to a system
one; the second stage is to totally hide the payload to a user.
In conclusion, in this malware analysis the real challenging part was reversing this absolutely unusual
and powerful hiding technique. In fact, it’s true tha
t lots of sophisticated malware adopt process
hollowing for conceal themselves, but not this two-step version. The malware adopts the principles
of privilege escalation and process hollowing, and make the analysis very hard.