Overview
Since August 2022, a new campaign associated with the URSA trojan has been spread at a large scale and extended to Portugal. The authors behind the threat have released a new version and how the malware is loaded. This is, in fact, the major update 2 years after the initial publication here « Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader ».
Trojan URSA – also known as mispadu malware by ESET – has impacted Internet end-users from different countries, including Bolivia, Chile, Mexico, Argentina, Ecuador, Peru, Colombia, Paraguay, Costa Rica, Brazil, Spain, Honduras, and Portugal.
This trojan collects passwords from web browsers and popular software such as FTP and email services. Also, it performs the banking browser overlay technique to lure the victims into introducing the banking credentials while the flow is executed – step-by-step – in the background by criminals. In addition, authentication credentials from cryptocurrency sites are also targeted, and criminals attempt to move money to specific wallets they have control over.
During this investigation, control of the URSA C2 server was also achieved, and details from 16.242 victims from different geolocations (including Portugal) were observed. This C2 server has been used to keep details from several campaigns that occurred during July – October 2021, and on the ongoing campaign July- September 2022 also extended to Portugal.
GeoMap of URSA Infections: Jul-Oct. 2021 and Jul-Sep. 2022
Table 1: Number of infections grouped by country.
| Number of Infections | Country |
| 11910 | Mexico |
| 4103 | Spain |
| 103 | USA |
| 88 | Chile |
| 24 | Portugal |
| 8 | Brazil |
| 4 | Argentina |
| 2 | Honduras |
Mexico is clearly the country with more users affected 11.910 from the total of 16.242 observed. Spain is the second country with 4.103, followed by the USA (103), Chile (88), and Portugal (24).
According to the details obtained from the C2 server, the campaigns occurred during the Summer season, both in 2021 as well as in 2022. In detail, the authors behind the schema, divide the campaigns by tags and names, namely:
- 2021-A (bog; ibra; mtx; preto)
- 2021-B (bog; ibra; mtx; preto)
- 2021-C (bog; ibra; mtx; preto); and
- 2022 (mtx)
A print screen from the accessed C2 server is presented below with the skeleton mentioned above.
Figure 2: Screenshot from the C2 server with the different campaigns spread in 2021.
The folder campaigns keep the victims’ secrets (Web-Browser and software passwords) encrypted. These details are collected in runtime via legitimate software and sent to the C2 server using the following file format: ID-LANGUAGE_COMPUTERNAME_RND-PREFIX_ID.txt
Figure 3: Part of users’ secrets found on the C2 server as an example.
Key findings
- URSA trojan evades AV/EDR detection by taking advantage of multiple layers of obfuscation and techniques (e.g., .bat and VBScript files, AutoIT loaders, and legitimate software).
- It takes advantage of legitimate loaders to execute malicious code.
- The trojan creates persistence on the target when installed.
- As observed in the last version from 2020, URSA uses legitimate software to collect users’ secrets (Nirsoft WebBrowserPassView and MaiPassView).
- The usage of the windows overlay technique to lure victims and obtain sensitive information (credentials, MFA tokens, etc) is also in place.
- The trojan can drop and execute additional payloads (e.g, remote shells or another kind of software).
- Keylogger capabilities are observed as well.
The new dance of URSA trojan
: in-depth analysis
In this section, we are going through the details of the URSA trojan, analyzing step-by-step this banking trojan, how it operates, and what kind of data is exfiltrated. It should be noted that some details may be obviously cited from the first publication published on the blog in 2020, not making, thus, an overlap of information already scrutinized.
Email is the «vehicle» to disseminate the threat
URSA trojan operators utilize spear-phishing campaigns to distribute the threat around the world. The modus operandi observed in recent years is similar to other Latin American trojans. In short, well-designed templates that impersonate popular brands are linked to bait invoices opening the door to potential infections.
In the first instance, the first waves of this campaign in Portugal indicated some inconsistency because in one of the phishing emails the recipients (targets) were placed in the “TO” email field. This detail can obviously defeat the malicious intent of deceiving a victim, in addition to the grammatical typos found.
The email message often refers to overdue invoices “Fatura Consumo de Eletricidade” – the decoy – in order to lure the victim into downloading the malicious file (a .HTML file attached to the email). These emails are sent between the end and the beginning of each month. As observed in this sample and others collected during this analysis, the sender’s email address is under the .MX TLD. This detail can explain the high number of infections in Mexico as reported in Table 1 above.
Figure 4: Email template of URSA impersonating GALP Energia and AT in Portugal (September 2022).
After opening the HTML file (FATURA_208538.PDF.HTML : b9187767d2fa4cb358f850a5f48a152b), a message related to Adobe Reader is presented in the Portuguese language. Basically, an error during the process occurred, and the user needs to “download” something additional to visualize the invoice (a trap).
Figure 5: HTML content presented when the victim opens the email attachment.
As can be seen, the button “Documento de descarregação” is a bad translation of “Descarregar documento” in the Portuguese language. This HTML element has associated an “onClick()” event that will download the next malware stage (RAR file).
Figure 6: JavaScript code responsible for downloading the next malware stage (a RAR file).
Figure 7 shows the source code deobfuscated. In short, a hardcoded HEX string is converted and “%%” chars are replaced. The deobfuscation process can be done by using a CyberChef recipe.
Figure 7: Deobfuscation of the JavaScript code via CyberChef recipe.
Although some parts of the infection chain remain from the URSA analysis in 2020, criminals have made the scheme more complex and sophisticated, with the addition of different layers precisely to bypass antiviruses and EDR systems. This is the new dance of URSA trojan in 2022.
The high-level diagram of the URSA trojan 2022 release is illustrated in Figure 8 below.
Figure 8: Ursa trojan / Mispadu 2022 – high-level diagram (September 2022).
This diagram simplifies the entire process in short steps. As observed, the usage of LOL BINS such as Certutil, WMIC, and WScript is a known TTP of different Latin American trojans, including Grandoreiro, Lampion, Javali, etc. The same consideration for AutoIT loaders and DLL side loading; which is a common modus operandi of these kinds of threats.
The most interesting details are scrutinized below.
RAR file with easter egg
Filename: FATURA_GALP_899318.rar
MD5: a5c87471e8d438cd40b137b2c0aa276e
SHA1: f11300a44987991bbe620246b5ec31e10835bc21
After clicking on the HTML button, a RAR file is downloaded as presented in Figure 7. A random file name is dynamically generated for each execution, but its content is obviously the same. As illustrated, the initial URL redirects to a new one that will perform the download of the RAR file into the victim machine.
Figure 9: Downloading of the RAR file after clicking on the malicious button on the HTML page.
Inside the RAR file exists a .bat file – the easter egg – with the following content:
- two binary files converted into certificates (in fact, 2 AutoIT binaries)
- between the certificates, the source code used to extract the binaries via Certutil windows utility (LOL BIN)
- WMI process is used to execute the next malware stage
Figure 10: .bat file inside the RAR file with 2 additional files embedded and extracted via Certutil Windows utility.
Digging into the details, the bat file takes advantage of the Certutil LOL BIN to extract the AutoIT loader from the first certificate, and the AutoIT injector (a3x) from the second one. Next, the WMI utility is then utilized to execute the AutoIT loader with the target source file (a3x).
Figure 11: Certutil is used to extract hardcoded binaries and execute them via the WMI Windows utility.
AutoIT loader to download the next stage (VBScript)
Filename: TTTTT%RRRRR%_.exe
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA1: 2a4062e10a5de813f5688221dbeb3f3ff33eb417
Filename: FATURA www.galp.pt.a3x
MD5: 7149bc706a85e225b419f50dbc1ef033
SHA1: d80ad22c0e365cf68162fd1f81ee23ad6bf24827
By analyzing the file signature of the AutoIT loader (TTTTT%RRRRR%_.exe), we can easily identify this file is legitimate, signed by AutoIT, Consulting Ltd, and used massively in malicious campaigns by threat authors in the last few years. The AutoIT loader was also utilized in the past campaigns of URSA in 2020 as exhibited below.
Figure 12: AutoIT loader signed by AutoIT Ltd; a legitimate loader used in the wild by crooks to execute malicious code (VT and URSA analysis 2020 URLs).
When execute in memory, the AutoIT loader downloads from hardcoded URLs the next stage; a VbScript file that will download additional payloads. The VBScript file is then executed via CMD.EXE (line 3767). Below is presented the plain source code. This scenario is highlighted in step 7 from Figure 8 (high-level diagram).
Figure 13: AutoIT code responsible for downloading the next malware stage (VbScript file).
VBScript file to download additional «VBScript» and execute it inline
As observed below, the AutoIT binary communicates with the target URLs to download the VBScript file. The file is then created into the “%AppData%\Local\Temp” folder and executed.
Interesting to notice the first submissions and data correlation with these domains from VirusTotal, probably indicating this wave has been started in July 2022 as already mentioned at the beginning of this article.
Figure 14: VBScript file downloaded and created on the target dir.
Filename: df6uiv.vbs
MD5: f32960c4e67e604a985bcfae9308af8a
SHA1: eb66b566add45d943ce2c810d5ef0c43c3f2f436
After opening the target file, it seems obfuscated.
Figure 15: VBScript file obfuscated after the downloading process.
A few rounds of deobfuscation can fix it! As can be seen, the obfuscation functions perform substitution and replacement of chars until achieving the final payload. The target path is “/g2″, where another VBScript payload is downloaded and executed inline. The VBScript file is a form of an XML component executed by CreateObject(“Wscript.Shell”).Exec(%payload%) windows call.
Figure 16: VBScript code deobfuscated and next VBScript file downloaded and executed inline.
As noticed below, the next VBScript file seems totally obfuscated, and we need to deobfuscate it to understand its capabilities.
Figure 17: Aditional VBScript file downloaded and executed inline via CreateObject(“Wscript.Shell”).Exec() component.
VBScript used to download and execute the URSA final stage
Filename: g2 / XML
MD5: d3f3e27cd085d1a7ec7b8059e775ba89
SHA1: 469f83cdbb8634dcfa6913b39be673545e8c947a
The URSA dance continues. The VBScript file is then used to download additional payloads, namely:
- Delphi encrypted DLL (URSA trojan itself)
- AutoIT loader; and
- AutoIT injector with hardcoded binary responsible for decrypting the URSA DLL and loading it into the memory.
The file has hardcoded and encrypted a lookup table that will populate some pieces of code during its execution. By decrypting the entries, we can get their plain-text value.
Figure 18: Lookup table present on the VBScript file after decrypting it.
In addition, a C2 configuration is also hardcoded and encrypted. It contains C2 servers to communicate during the infection process. However, we noticed that this is a kind of configuration is also presented on the first analysis of URSA in 2020 and available here. In fact, this VBScript is an obfuscated and updated version of the file analyzed in 2020 and presented in Figure 9 here.
Figure 19: C2 configuration hardcoded on the VBScript file.
In detail, this script checks if is running inside a virtual environment, and terminates its execution. Also, the system language is verified, according to the hardcoded codes detailed below. Spanish (Latin American) and Portuguese systems are the focus of criminals’ operations.
Figure 20: Snippet of code responsible for checking if the script is running inside a VM and if the system language feets the crook’s intents.
At the first glance, if the computer name is equal to “ JOHN-PC “, it terminates the infection chain. Some details are also obtained from the C2 server, including the configuration used during the downloading of the additional files (the final malware stage). These details (line 466) are then used as a prefix name to create target folders and files on the victim’s machine.
Figure 21: Additional details about the VBScript before downloading the final stage.
Next, three additional files are downloaded:
- Delphi encrypted DLL (URSA trojan itself)
- AutoIT injector source (with hardcoded binary inside – C++ loader); and
- AutoIT loader
A better perspective of these files can be seen below.
Figure 22: URSA trojan 2020 last stage.
1. URSA DLL download
Filename: C:/t35/v221.22v
Size: 4956673(4.73 MB)
MD5: 8069e5d8e22b51f3360cca1582c1f3b7
SHA1: 3ee3915219ddc8fcd1d289c58f9eebfdcf4ae86c
Entropy: 7.47087(packed)
The URSA DLL is downloaded from the C2 server, encrypted, and with a random extension ( https]://m4gx01.hopto.org/lp1am1].dfhyhgf ).
After that, it is renamed to a ZIP file: c:\t35\v22m1.zip . Next, the file is unzipped and renamed to: v221.22v . Notice that, “t35” path and “v22” prefix are both obtained from the C2 server and highlighted in Figure 21 above. These values are random and change between different infections.
Figure 23: Snippet of code responsible for downloading the encrypted URSA trojan DLL.
2. AutoIT source with hardcoded EXE (C++ loader)
Filename: C:/t35/v22
Size: 171726(167.70 kB)
MD5: 782f9bed19336830a6bacdc6c0cf07ec
SHA1: a099df7fad853afd1fb1eb29c18800a1fb498182
Entropy: 7.99899(packed)
Looking at the VBScript file, the AutoIT source code with a C++ loader hardcoded is then downloaded from the C2 server – https:]//m4gx01.hopto.org/v/lp163.]dfhyhgf and stored to: c:\t35\v224.dfhyhgf . The file is renamed to: c:\t35\v224.zip , and the AutoIT source is extracted and renamed: c:\t35\v22 .
Figure 24: Snippet of code responsible for downloading the AutoIT source. This file contains a C++ loader inside that will decrypt and execute in memory the URSA DLL.
3. AutoIT loader
Filename: C:/t35/v22ai.exe
Size: 893608(872.66 kB)
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA1: 2a4062e10a5de813f5688221dbeb3f3ff33eb417
Entropy: 6.62013(packed)
As observed, a legitimate AutoIT loader is then used to load the AutoIT injector source. The file is downloaded from: https:/]/m4gx01.hopto.]org/lp1aa3.]dfhyhgf to c:\t35\v22a3.dfhyhgf . The file is then renamed to c:\t35\v22a3.zip , unzipped, and again renamed to: c:\t35\v22ai.exe .
Finally, this AutoIT loader (c:\t35\v22ai.exe), will execute and load the AutoIT source (C:/t35/v22), which will decrypt and load into the memory the URSA trojan DLL: C:/t35/v221.22v.
Figure 25: Snippet of code responsible for downloading the AutoIT loader.
URSA trojan last stage
:C++ loader hardcoded inside the AutoIT code
At this point of infection, three files are ready to be executed:
- v22ai.exe / to7ai.exe: AutoIT loader
- v22 / to7: AutoIT injector source with the hardcoded c++ loader that will decrypt and execute the final DLL; and
- v221.22v / to71.7ot : Delphi DLL – URSA trojan itself.
Take a look at the AutoIT source code after obtaining it in a readable form, we can see that a binary file is hardcoded and it will be loaded into the memory by using the DLL injection technique.
Figure 26: DLL injection technique used to load C++ EXE into the memory.
Interesting to notice that part of the source code can be found on the https://www.autoitscript.com Forum in a publication from 2009.
Figure 27: Part of the DLL injection source code found on the AutoIt script web forum.
After dumping the c++ loader from memory, it’s possible to understand its purpose.
Filename: hardcoded_loader.dll
Size: 147456(144.00 kB)
MD5: 75aa0635014fddb64536da38c21ee93a
SHA1: 89d448c72d49717e9eb78d639c2d17c479821c38
This binary has hardcoded the path of the URSA DLL to load « to71.7ot », decrypt « sub_10001C30() », and inject it « sub_100001880() » into the memory.
Figure 28: Additional files download during the malware execution (next described), and a snippet of code responsible for decrypting and injection of the URSA DLL.
In detail, the left-side below « sub_10001C30() » presents the block of code responsible for decrypting the DLL file, and in the right-side « sub_100001880() » the DLL injection technique.
Figure 29: Decryption and DLL injection calls in detail.
Dump URSA DLL from memory
File name: ursa.dll
Size: 3563520(3.40 MB)
MD5: 0cd43c6759d0f5285cb69fff22e2ed5b
SHA1: 17f160deffd502968ce9c2eb2754cbeddacb74d5
After being injected into memory, it can be dumped in this case at the offset: 0x40c6000. As observed, some junk needs to be removed.
Figure 30: URSA DLL dumped from memory.
After aligning the dumped file and removing some junk bytes, we are able to understand its TTP. As can be seen, the binary is not packed, it’s a Delphi DLL and we can reverse it easily.
Figure 31: URSA trojan DLL not packed and obtained from memory.
URSA trojan capabilities
The last stage is a Delphi DLL binary responsible for executing browser overlay to control and steal the victim’s secrets while they are accessing their home banking and cryptocoin portals. The activity and code similarities observed are much close to other analyzed and popular trojans operating in Portugal and Latin America, such as Grandoreiro and Lampion. According to an ESET analysis, the final payload is Mispadu, an ambitious Latin American banking trojan that extends its attack surface to web browsers.
The Delphi binary has also two legitimate tools inside. These tools are used to collect credentials stored on the victim’s device.
Figure 32: Binary files available inside the Delphi binary.
These tools are executed when the final stage starts, and the data is stored between the tags “===F1===” and “===F2===” highlighted below.
Figure 33: Blocks of code where the credential stealer modules are executed.
In detail, these tools are legitimate and provided by NirSoft. The first one – WebBrowserPassView is launched in memory and used to exfiltrate credentials from popular web browsers. On the other side, Mail PassView is used to collect data from several locations.
Figure 34: Tools embedded inside the trojan file and used to collect data from the infected device.
During the analysis, we noticed that two additional DLLs are also downloaded by URSA:
- C:/gf70kg804/ libeay32.dll (284e004b654306f8db1a63cff0e73d91)
- C:/gf70kg804/ ssleay32.dll (de484d5dafe3c1208da6e24af40e0a97)
According to the Embarcaredo Wiki, these DLLs are required to perform communication over HTTPS and must be in place.
At the end of the harvesting process, the data is sent over HTTPS to the C2 server.
Figure 35: Victim’s credentials collected and sent to the C2 server.
The trojan is simultaneously listening and monitoring which windows and websites are accessed by the victim (it gets the focus windows on the web browser). When a target banking portal is accessed, an overlay window is created on the legitimate web browser window depending on the accessed banking portal.
In short, the next figure shows some target brands “operated” by URSA trojan criminals. The complete list is presented below.
Figure 36: Target brands found during the URSA trojan analysis.
.text:00717770 00000010 C (16 bits) BBVA_MX .text:0071778C 00000014 C (16 bits) AZTECA_MX .text:007177AC 00000016 C (16 bits) BANAMEX_MX .text:007177D0 00000016 C (16 bits) BANORTE_MX .text:007177F4 0000001A C (16 bits) SANTANDER_ES .text:0071781C 0000001A C (16 bits) CAIXABANK_ES .text:00717844 00000010 C (16 bits) HSBC_MX .text:00717860 00000014 C (16 bits) SCOTIA_MX .text:00717880 00000012 C (16 bits) GERAL_ES .text:007178A0 0000001A C (16 bits) SANTANDER_PT .text:007178C8 00000014 C (16 bits) BANKIA_ES .text:007178E8 00000018 C (16 bits) SABADELL_ES .text:0071790C 0000001A C (16 bits) BANKINTER_ES .text:00717934 00000018 C (16 bits) IBERCAJA_ES .text:00717958 0000001A C (16 bits) LIBERBANK_ES .text:00717980 00000014 C (16 bits) ABANCA_ES .text:007179A0 0000001C C (16 bits) KUTXABANCA_ES .text:007179C8 00000016 C (16 bits) UNICAJA_ES .text:007179EC 00000018 C (16 bits) BANREGIO_ES .text:00717A10 00000016 C (16 bits) INBURSA_ES .text:00717A34 00000014 C (16 bits) AFIRME_ES .text:00717A54 00000012 C (16 bits) BITSO_ES .text:00717A74 0000001C C (16 bits) BLOCKCHAIN_ES .text:00717A9C 0000000E C (16 bits) BTC_ES .text:00717AB8 00000014 C (16 bits) PAYPAL_ES .text:00717AD8 00000012 C (16 bits) GERAL_PT .text:00717AF8 0000000E C (16 bits) BPI_PT .text:00717B14 0000001A C (16 bits) NOVOBANCO_PT .text:00717B3C 0000000E C (16 bits) BCP_PT .text:00717B58 0000000E C (16 bits) CGD_PT .text:00717B74 00000014 C (16 bits) ACTIVO_PT .text:00717B94 00000018 C (16 bits) MONTEPIO_PT .text:00717BB8 0000001C C (16 bits) CREDITOAGR_PT .text:00717BE0 0000000E C (16 bits) BTC_PT .text:00717BFC 00000014 C (16 bits) PAYPAL_PT .text:00717C1C 00000010 C (16 bits) BBVA_PT .text:00717C38 00000012 C (16 bits) WINUP_PT .text:00717C58 00000016 C (16 bits) EUROBIC_PT .text:00717C7C 00000012 C (16 bits) GERAL_IT .text:00717C9C 0000000E C (16 bits) BPM_IT .text:00717CB8 00000010 C (16 bits) BPER_IT .text:00717CD4 00000016 C (16 bits) UNICRED_IT .text:00717CF8 00000018 C (16 bits) SAMPAOLO_IT .text:00717D1C 0000000E C (16 bits) BNL_IT .text:00717D38 00000018 C (16 bits) BANCAMPS_IT .text:00717D5C 00000018 C (16 bits) COLOMBIA_CO .text:00717D80 00000014 C (16 bits) BOGOTA_CO .text:00717DA0 0000001C C (16 bits) DAVIVIENDA_CO .text:00717DC8 0000001A C (16 bits) OCCIDENTE_CO .text:00717DF0 00000010 C (16 bits) ITAU_CO .text:00717E0C 00000012 C (16 bits) GERAL_UK .text:00717E2C 00000010 C (16 bits) HSBC_UK .text:00717E48 00000016 C (16 bits) BARCLAY_UK .text:00717E6C 00000014 C (16 bits) LLOYDS_UK .text:00717E8C 00000012 C (16 bits) ROYAL_UK .text:00717EAC 00000018 C (16 bits) STANDARD_UK .text:00717ED0 0000001A C (16 bits) SANTANDER_UK .text:0071C448 00000012 C (16 bits) portugal .text:0071C480 0000000C C (16 bits) banco .text:0071C498 0000000E C (16 bits) azteca .text:0071C4B4 0000001A C (16 bits) Banco Azteca .text:0071C4DC 0000001C C (16 bits) banconacional .text:0071C504 00000010 C (16 bits) agrcola .text:0071C520 00000026 C (16 bits) Banco Nacional de M .text:0071C560 00000010 C (16 bits) banorte .text:0071C57C 0000000C C (16 bits) banca .text:0071C5AC 00000010 C (16 bits) Banorte .text:0071C5C8 00000014 C (16 bits) santander .text:0071C5E8 00000020 C (16 bits) Banco Santander .text:0071C614 00000016 C (16 bits) scotiabank .text:0071C638 0000000E C (16 bits) Scotia .text:0071C684 00000016 C (16 bits) blockchain .text:0071C6A8 00000016 C (16 bits) BlockChain .text:0071C6CC 00000012 C (16 bits) banregio .text:0071C6EC 00000012 C (16 bits) Banregio .text:0071C70C 00000010 C (16 bits) inbursa .text:0071C728 00000010 C (16 bits) Inbursa .text:0071C744 0000000E C (16 bits) afirme .text:0071C760 0000000E C (16 bits) Afirme .text:0071C77C 0000000C C (16 bits) bitso .text:0071C794 0000000C C (16 bits) Bitso .text:0071C7AC 00000010 C (16 bits) bitcoin .text:0071C7C8 00000010 C (16 bits) binance .text:0071C7E4 00000012 C (16 bits) coinbase .text:0071C804 0000000E C (16 bits) kraken .text:0071C820 0000000E C (16 bits) crypto .text:0071C83C 00000012 C (16 bits) primebit .text:0071C85C 00000010 C (16 bits) Bitcoin .text:0071C878 0000000E C (16 bits) paypal .text:0071C894 0000000E C (16 bits) Paypal .text:0071C8B0 0000000E C (16 bits) bankia .text:0071C8CC 0000000E C (16 bits) bankla .text:0071C8E8 0000000E C (16 bits) Bankia .text:0071C904 00000012 C (16 bits) sabadell .text:0071C924 00000012 C (16 bits) Sabadell .text:0071C944 00000014 C (16 bits) bankinter .text:0071C964 00000014 C (16 bits) Bankinter .text:0071C984 00000012 C (16 bits) ibercaja .text:0071C9A4 00000012 C (16 bits) Ibercaja .text:0071C9C4 00000014 C (16 bits) liberbank .text:0071C9E4 00000014 C (16 bits) Liberbank .text:0071CA04 0000000E C (16 bits) abanca .text:0071CA20 0000000E C (16 bits) ABANCA .text:0071CA3C 00000014 C (16 bits) kutxabank .text:0071CA5C 00000014 C (16 bits) Kutxabank .text:0071CA7C 00000010 C (16 bits) unicaja .text:0071CA98 0000001C C (16 bits) Unicaja Banco .text:0071CAC0 00000012 C (16 bits) bancobpi .text:0071CAE0 00000014 C (16 bits) Banco BPI .text:0071CB00 00000014 C (16 bits) novobanco .text:0071CB20 00000016 C (16 bits) Novo Banco .text:0071CB44 0000001C C (16 bits) millenniumbcp .text:0071CB6C 0000001E C (16 bits) Millennium BCP .text:0071CB98 0000001A C (16 bits) caixadirecta .text:0071CBC0 0000001C C (16 bits) Caixa Directa .text:0071CBE8 00000016 C (16 bits) activobank .text:0071CC0C 00000018 C (16 bits) Activo Bank .text:0071CC30 00000012 C (16 bits) montepio .text:0071CC50 0000001E C (16 bits) Banco Montepio .text:0071CC7C 0000001C C (16 bits) crditoagrcola .text:0071CCA4 00000014 C (16 bits) caixabank .text:0071CCC4 00000014 C (16 bits) Caixabank .text:0071CCE4 00000010 C (16 bits) eurobic .text:0071CD00 00000010 C (16 bits) EuroBic .text:0071CD1C 00000022 C (16 bits) bancodeoccidente .text:0071CD4C 00000026 C (16 bits) Banco de Occidente .text:0071CDB0 00000018 C (16 bits) bancolombia .text:0071CDD4 0000002E C (16 bits) sucursalvirtualempresa .text:0071CE10 00000018 C (16 bits) BanColombia .text:0071CE34 0000001A C (16 bits) bancodebogot .text:0071CE5C 0000001C C (16 bits) Banco de Bogot .text:0071CE88 00000016 C (16 bits) davivienda .text:0071CEAC 00000016 C (16 bits) Davivienda .text:0071CED0 00000010 C (16 bits) barclay .text:0071CEEC 00000010 C (16 bits) Barclay .text:0071CF08 0000000E C (16 bits) lloyds .text:0071CF3C 0000000E C (16 bits) Lloyds .text:0071CF58 0000000C C (16 bits) royal .text:0071CF70 0000002E C (16 bits) Royal Bank of Scotland .text:0071CFAC 00000012 C (16 bits) standard .text:0071CFCC 00000014 C (16 bits) chartered .text:0071CFEC 00000026 C (16 bits) Standard Chartered .text:0071D020 0000002C C (16 bits) bancapopolaredemilano .text:0071D058 00000012 C (16 bits) bancobpm .text:0071D090 00000014 C (16 bits) unicredit .text:0071D0B0 00000028 C (16 bits) bancaintesasanpaolo .text:0071D0F8 00000012 C (16 bits) bancamps .text:0071D118 00000022 C (16 bits) Internet Banking .text:0071D148 00000012 C (16 bits) bajionet .text:0071D168 0000001C C (16 bits) intercambanco .text:0071D190 00000014 C (16 bits) asponline .text:0071D1B0 00000016 C (16 bits) aspenlinea .text:0071D1D4 00000016 C (16 bits) banjercito .text:0071D1F8 00000016 C (16 bits) consubanco .text:0071D21C 00000012 C (16 bits) actinver .text:0071D23C 00000012 C (16 bits) bankaool .text:0071D25C 00000016 C (16 bits) bancamifel .text:0071D280 00000010 C (16 bits) bancrea .text:0071D29C 0000000E C (16 bits) stpmex .text:0071E8A4 00000012 C (16 bits) portugal .text:0071E8C4 0000000C C (16 bits) banco .text:0071E8DC 0000000E C (16 bits) azteca .text:0071E8F8 0000001C C (16 bits) banconacional .text:0071E920 00000010 C (16 bits) agrcola .text:0071E93C 00000010 C (16 bits) banorte .text:0071E958 00000014 C (16 bits) santander .text:0071E978 00000016 C (16 bits) scotiabank .text:0071E9B4 00000012 C (16 bits) banregio .text:0071E9D4 00000010 C (16 bits) inbursa .text:0071E9F0 0000000E C (16 bits) afirme .text:0071EA0C 0000000E C (16 bits) bankia .text:0071EA28 0000000E C (16 bits) bankla .text:0071EA44 0000000C C (16 bits) banca .text:0071EA5C 00000012 C (16 bits) sabadell .text:0071EA7C 00000014 C (16 bits) bankinter .text:0071EA9C 00000012 C (16 bits) ibercaja .text:0071EABC 00000014 C (16 bits) liberbank .text:0071EADC 0000000E C (16 bits) abanca .text:0071EAF8 00000014 C (16 bits) kutxabank .text:0071EB18 00000010 C (16 bits) unicaja .text:0071EB34 00000012 C (16 bits) bancobpi .text:0071EB54 00000014 C (16 bits) novobanco .text:0071EB74 0000001C C (16 bits) millenniumbcp .text:0071EB9C 0000001A C (16 bits) caixadirecta .text:0071EBC4 00000016 C (16 bits) activobank .text:0071EBE8 00000012 C (16 bits) montepio .text:0071EC08 0000001C C (16 bits) crditoagrcola .text:0071EC30 00000014 C (16 bits) caixabank
As noticed below, a Delphi form (Telas) is running in a loop and performs windows overlay launching the right windows (right-side below) according to the target brand string captured from the user interaction.
Figure 37: Details about the windows overlay process – URSA trojan 2022.
When the malware detects the victims accessed a target home banking portal, a connection is established to the malware operator (C2 server). Criminals control each step, requesting specific data step-by-step in a back-office portal. Some commands hardcoded inside the malware are presented below.
.text:0071A760 00000026 C (16 bits) <|ATIV|>Ativado<|> .text:0071EC50 00000012 C (16 bits) <|ALRM|> .text:0071F170 00000018 C (16 bits) <|Desktop|> .text:0071F1A4 00000018 C (16 bits) <|TAMANHO|> .text:0071F49C 00000012 C (16 bits) <|gets|> .text:0071F4BC 00000018 C (16 bits) <|TAMANHW|> .text:0071F504 00000018 C (16 bits) <|TAMANHO|> .text:0071F528 00000012 C (16 bits) <|okok|> .text:0071F5F4 0000001A C (16 bits) <|KEYBOARD|> .text:0071F918 00000018 C (16 bits) <|JKEYLOG|> .text:0071F960 0000001C C (16 bits) <|TAMANHOKL|> .text:0071FDB0 00000016 C (16 bits) <|getsKL|> .text:0071FDD4 0000001C C (16 bits) <|TAMANHOKL|> .text:0071FE20 00000016 C (16 bits) <|okokKL|> .text:0071FE44 00000016 C (16 bits) <|getsPS|> .text:0071FE68 0000001C C (16 bits) <|TAMANHOPS|> .text:0071FE90 00000016 C (16 bits) <|okokPS|> .text:0071FEB4 00000018 C (16 bits) <|getsKL2|> .text:0071FED8 00000018 C (16 bits) <|okokKL2|> .text:00720024 0000001A C (16 bits) <|DOWNLOAD|> .text:00720070 0000001C C (16 bits) <|DOWNLOAD2|> .text:00720278 0000000E C (16 bits) <|OK|> .text:007202A4 00000010 C (16 bits) <|OKt|> .text:00720AA8 0000001C C (16 bits) <|TAMANHOKL|> .text:007210FC 00000014 C (16 bits) <|WLOGS|> .text:00721164 00000012 C (16 bits) <|STAT|> .text:00728DD8 00000012 C (16 bits) <|STAT|> .text:00728E94 00000022 C (16 bits) <<|<|ESPERA|><<| .text:00728EC4 0000001E C (16 bits) <|STAT|>colou .text:00728FB4 0000003C C (16 bits) <|STAT|>Imagem esp enviada<|> .text:00728FFC 00000032 C (16 bits) <|STAT|>Print enviado<|> .text:0072903C 00000038 C (16 bits) <|STAT|>Dados Reenviados<|> .text:00729080 0000003E C (16 bits) <|STAT|>Reiniciando maquina<|> .text:007290E8 0000001C C (16 bits) <|TAMANHOPS|> .text:00729110 00000040 C (16 bits) <|STAT|>Alpha blend alterado<|> .text:0072915C 0000003A C (16 bits) <|STAT|>Conexao encerrada<|> .text:007291B8 00000032 C (16 bits) <|STAT|>Maq bloqueada<|> .text:007291F8 00000038 C (16 bits) <|STAT|>Conexao resetada<|> .text:00729250 00000030 C (16 bits) <|STAT|>Maq liberada<|> .text:0072928C 0000002C C (16 bits) <|ATIV|>Desativado<|> .text:007292C4 0000003E C (16 bits) <|STAT|>Tam buraco alterado<|> .text:00729310 00000030 C (16 bits) <|STAT|>KL instalado<|> .text:0072934C 00000036 C (16 bits) <|STAT|>KL desinstalado<|> .text:00729390 00000036 C (16 bits) <|STAT|>KL desisntalada<|> .text:007293D4 0000002E C (16 bits) <|STAT|>KL alterada<|> .text:00729410 00000028 C (16 bits) <|STAT|>Comando KL .text:00729444 0000002E C (16 bits) <|STAT|>Log Enviado<|> .text:00729480 00000042 C (16 bits) <|STAT|>Nenhum log encontrado<|> .text:007294D0 00000042 C (16 bits) <|STAT|>Transformacao recorte = .text:00729520 00000034 C (16 bits) <|STAT|>Mouse Alterado = .text:00729560 0000003A C (16 bits) <|STAT|>Comando MostraBarra .text:007295A8 00000038 C (16 bits) <|STAT|>Comando AtualizaUP .text:00729608 0000003A C (16 bits) <|STAT|>Comando PostMessage .text:00729650 0000003A C (16 bits) <|STAT|>Comando SendMessage .text:00729698 0000001C C (16 bits) <|TAMANHOKL|> .text:007296D8 0000002E C (16 bits) <|STAT|>Log Apagado<|> .text:00729714 00000038 C (16 bits) <|STAT|>Comando ShowWindow .text:00729768 00000018 C (16 bits) <|WLOGS|>\r\n .text:007297A0 00000032 C (16 bits) <|STAT|>Comando SetFore .text:007297E0 00000030 C (16 bits) <|STAT|>Comando WinExec .text:0072981C 0000002E C (16 bits) <|STAT|>Comando Shell .text:00729864 0000002C C (16 bits) <|STAT|>Comando Down .text:0072989C 0000003C C (16 bits) <|STAT|>Download Encerrado<|> .text:007298FC 0000003E C (16 bits) <|STAT|>Comando Block Entrada .text:007299A4 00000034 C (16 bits) <|STAT|>Comando SetaFase .text:007299E4 00000028 C (16 bits) <|STAT|>Manter Conex .text:00729A48 00000028 C (16 bits) <|STAT|>Manter Conex .text:00729AA0 0000003C C (16 bits) <|STAT|>Comando Restaurar <|> .text:00729B18 0000003E C (16 bits) <|STAT|>Comando Orientacao <|> .text:00729B64 00000030 C (16 bits) <|STAT|>Rolou Mouse <|> .text:00729BE0 0000002E C (16 bits) <|STAT|>Erro criado<|> .text:00729C1C 00000030 C (16 bits) <|STAT|>Erro Enviado<|> .text:00729C58 0000002C C (16 bits) <|STAT|>Erro N Enc<|> .text:00729C90 00000030 C (16 bits) <|STAT|>Erro Apagado<|> .text:0072A540 0000001C C (16 bits) <|PRINCIPAL|> .text:0072B868 0000001E C (16 bits) <|SocketMain|> .text:0072B8A8 0000000E C (16 bits) <|OK|> .text:0072B928 00000012 C (16 bits) <|Info|> .text:0072B96C 00000012 C (16 bits) <|PING|> .text:0072B98C 00000012 C (16 bits) <|PONG|> .text:0072B9AC 00000014 C (16 bits) <|Close|> .text:0072B9EC 00000018 C (16 bits) <|NOSenha|> .text:0072BA3C 00000028 C (16 bits) <|REQUESTKEYBOARD|> .text:0072BA70 00000012 C (16 bits) <|WCMD|> .text:0072BA90 00000014 C (16 bits) <|first|> .text:0072BAB0 0000001A C (16 bits) <|MousePos|> .text:0072BAD8 00000018 C (16 bits) <|MouseLD|> .text:0072BAFC 00000018 C (16 bits) <|MouseLY|> .text:0072BB20 00000018 C (16 bits) <|MouseLX|> .text:0072BB44 00000018 C (16 bits) <|MouseDC|> .text:0072BB68 00000018 C (16 bits) <|MouseLU|> .text:0072BB8C 00000018 C (16 bits) <|MouseRD|> .text:0072BBB0 00000018 C (16 bits) <|MouseRU|> .text:0072BBD4 00000018 C (16 bits) <|MouseWH|>
As observed, URSA DLL is determined by a lot of capabilities:
- Logging keystrokes
- download and execution of additional payloads (reverse shells, etc)
- stealing credentials from a lot of baking and crypto coin portals, and popular software
- obtaining printscreen; and
- upload and download files.
C2 details and victim’s data
The victim’s data is sent to C2 during the malware execution. During our analysis, it was possible to obtain information on the number of victims affected during the 2021 and 2022 campaigns.
Figure 38: Some affected users and AV engines bypassed by URSA (Portuguese campaign – September 2022).
Interesting that this malware evades AV detection. We can see in Figure 38 that many machines were running popular antivirus and were infected by this threat. On the other side, all the victim’s data is stored in TXT files on the C2 server. The file starts with the id language (Portugal – 2070), followed by the computer name, trojan compilation ID, and finally, the victim ID present on the C2 database.
Figure 39: Details about victims infected by URSA trojan in September 2022 in Portugal.
Figure 40: Victims’ details present on the C2 server online (left-side: Portugal, middle: Mexico, right-side: Spain).
In detail, the files are encrypted and have the secrets collected from the infected machines, including passwords from popular software and web browsers. We believe the group behind these kinds of trojans should sell the accesses later to other threat groups.
In addition, we found a BTC address inside the URSA DLL with two transactions. It has received a total of 0.57965786 BTC ($12,581.63) and has sent a total of 0.57965786 BTC ($12,581.63).
Figure 41: BTC address found during the URSA trojan analysis.
Final Thoughts
URSA is a potent piece of malware, whose primary capability is the theft of banking information and other personal information from the user machine and sending it to the C2 server. This trojan takes advantage of complex loaders (in number and sophistication), and thus bypasses AV and EDR detection.
As common on Latin American trojans, the usage of LOL BINS such as WMI and Certutil as well as legitimate loaders (AutoIT) allows circumventing security defenses and easily injecting malicious code into the memory without touching on disk, at least, with the binary in a plain-text form.
From URSA’s analysis, we can conclude that Latin American operators are sharing code between different trojans such as Lampion, Javali, Grandoreiro, and so on.
This trojan is a dangerous weapon, with the capabilities to self-update itself, capture keystrokes and mouse movements, take screenshots, block access to several Windows-based applications, get secrets and passwords from banking and financial portals, execute additional payloads, and initiate the windows overlay process when a legitimate portal is accessed.
Latin American trojans are on the rise with multiple variants targeting banking organizations. These variants come with different peculiarities, with the goal of hiding their presence and bypassing detection. Thus, organizations are recommended to make use of provided IOCs for better detection of URSA or similar threats.
Let’s take malware protection seriously!
Mitre Att&ck Matrix
Indicators of Compromise (IOCs)
===========FILES================ FATURA_208538.PDF.html | 3a69914e18119a42695a3dde89ea4221 https://www.virustotal.com/gui/file-analysis/M2E2OTkxNGUxODExOWE0MjY5NWEzZGRlODllYTQyMjE6MTY2MzE2MTE1NA== FATURA_GALP_912218.rar | a5c87471e8d438cd40b137b2c0aa276e https://www.virustotal.com/gui/file-analysis/YTVjODc0NzFlOGQ0MzhjZDQwYjEzN2IyYzBhYTI3NmU6MTY2MzE2MTI0Mw== FATURA www.galp.pt.bat | 95a6bc8457f5852a40c09dbdda2b5ae3 https://www.virustotal.com/gui/file-analysis/OTVhNmJjODQ1N2Y1ODUyYTQwYzA5ZGJkZGEyYjVhZTM6MTY2MzE2MTI4OQ== TTTTT%RRRRR%_.exe | c56b5f0201a3b3de53e561fe76912bfd https://www.virustotal.com/gui/file/237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d TTTTT%RRRRR%_.a3x / FATURA www.galp.pt.a3x | 6272b71def704494d7be276df39746ac https://www.virustotal.com/gui/file/2745605626d3e93eb9d86adf9cf462321098f6c27d445474f7293357c441d351?nocache=1 df6uiv.vbs | f32960c4e67e604a985bcfae9308af8a https://www.virustotal.com/gui/file-analysis/ZjMyOTYwYzRlNjdlNjA0YTk4NWJjZmFlOTMwOGFmOGE6MTY2MzE2MTU5OA== g2 | d3f3e27cd085d1a7ec7b8059e775ba89 https://www.virustotal.com/gui/file-analysis/ZDNmM2UyN2NkMDg1ZDFhN2VjN2I4MDU5ZTc3NWJhODk6MTY2MzE2MTc1Ng== v221.22v / to71.7ot (URSA encrypred DLL) | 8069e5d8e22b51f3360cca1582c1f3b7 https://www.virustotal.com/gui/file-analysis/ODA2OWU1ZDhlMjJiNTFmMzM2MGNjYTE1ODJjMWYzYjc6MTY2MzE2MTgyOQ== v22 / to7 | 782f9bed19336830a6bacdc6c0cf07ec https://www.virustotal.com/gui/file-analysis/NzgyZjliZWQxOTMzNjgzMGE2YmFjZGM2YzBjZjA3ZWM6MTY2MzE2MTg1MA== v22ai.exe / to7ai.exe | c56b5f0201a3b3de53e561fe76912bfd https://www.virustotal.com/gui/file/237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d hardcoded_loader.dll | 75aa0635014fddb64536da38c21ee93a https://www.virustotal.com/gui/file/d7588b38b2534e8683f70b90aab477c187bd1659b92bb45170b0d2b8cfc31807 to7ai.exe.bin - URSA dumped - cleaned (DLL) | f39b28222e24ba18d8c26e03be3bc857 https://www.virustotal.com/gui/file-analysis/ZjM5YjI4MjIyZTI0YmExOGQ4YzI2ZTAzYmUzYmM4NTc6MTY2MzE2MjAzNA== libeay32.dll | 284e004b654306f8db1a63cff0e73d91 ssleay32.dll | de484d5dafe3c1208da6e24af40e0a97 ======C2 && URLs============= http://168.100.9.172 https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26847 http://206.188.196.166/ https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26846 http://mqgpw2.servepics.com/ https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26725 http://mxgpw1.serveirc.com/ https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26724 http://dreamixcorporation.com/ https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26670 https://documents.drive.dreamixcorporation.com/do/it.php https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26669 http://198.54.117.198/ https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26668 https://stunningsolutions.in/js/fatura/?f71eda6de70d5cd8464e0ab7905eced9f71eda6de70d5cd8464e0ab7905eced9 https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26667 https://dom32.store https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26666 https://dom32.store/z/?YPehBDYYYVe0xkiwaK4G84tilx6TkXysr3ocTtzAYPehBDYYYVe0xkiwaK4G84tilx6TkXysr3ocTtzA https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26665 http://highlineadsl.com https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26664 http://highlineadsl.com/ddd/it.php?b2 https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26663 http://m4gx01.hopto.org/ https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26662 https://m4gx01.hopto.org/ https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=26661
Yara rule
This Yara rule can also be downloaded from the GitHub repository here.
import "pe"
import "hash"
rule URSA_trojan_VBS_loader_2022 {
meta:
description = "Yara rule for URSA trojan VBS (loader) - September 2022 version"
author = "SI-LAB - https://seguranca-informatica.pt"
last_updated = "2022-09-14"
tlp = "white"
category = "informational"
strings:
$s_a = {6d 34 67 78 30 31}
$s_b = {6d 73 67 42 6f 78}
condition:
filesize < 10KB
and all of ($s_*)
}
rule URSA_VBS_AUTOIT_LOADER_2022 {
meta:
description = "Yara rule for URSA trojan VBS loader AuToIT - September 2022 version"
author = "SI-LAB - https://seguranca-informatica.pt"
last_updated = "2022-09-14"
tlp = "white"
category = "informational"
strings:
$s_a = "Nova"
$s_b = "_39"
$s_c = "FCYFLFCFMF"
$s_d = "FJCXCUCHCOCHEUFECWCHCOCHEUFECXCHCO"
condition:
filesize < 40KB
and all of ($s_*)
}
rule URSA_AUTOIT_LOADER_2022 {
meta:
description = "Yara rule for URSA trojan VBS loader AuToIT - September 2022 version"
author = "SI-LAB - https://seguranca-informatica.pt"
last_updated = "2022-09-14"
tlp = "white"
category = "informational"
strings:
$s_a = {41 75 74 6F 49 74}
condition:
filesize < 900KB and
hash.md5(0, filesize) == "c56b5f0201a3b3de53e561fe76912bfd"
and all of ($s_*)
}
rule URSA_DLL_ENCRYPED_2022 {
meta:
description = "Yara rule for URSA trojan VBS loader AuToIT - September 2022 version"
author = "SI-LAB - https://seguranca-informatica.pt"
last_updated = "2022-09-14"
tlp = "white"
category = "informational"
strings:
$s_a = {15 62 70 67 18 1B 1A 1B 1C 21 1E 24}
$s_b = {32 33 34 35 36 37 38 2F 30 31 32 25 26 27 28 37 38 2F 30 31 32 33 34 35 36 37 38 2F 30 31 32 1B 1C 35 36}
condition:
filesize < 5000KB
and all of ($s_*)
}
rule URSA_DLL_ENCRYPED_2022 {
meta:
description = "Yara rule for URSA trojan VBS loader AuToIT - September 2022 version"
author = "SI-LAB - https://seguranca-informatica.pt"
last_updated = "2022-09-14"
tlp = "white"
category = "informational"
strings:
$s_a = {15 62 70 67 18 1B 1A 1B 1C 21 1E 24}
$s_b = {32 33 34 35 36 37 38 2F 30 31 32 25 26 27 28 37 38 2F 30 31 32 33 34 35 36 37 38 2F 30 31 32 1B 1C 35 36}
condition:
filesize < 5000KB
and all of ($s_*)
}













































