Ursnif is a banking Trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spear phishing Attachments, and malicious links. Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.


Scenario

  • LAN segment range: 10.18.20.0/24 (10.18.20.0 through 10.18.20.255)
  • Domain: icemaiden.com
  • Domain controller: 10.18.20.8 – Icemaiden-DC
  • LAN segment gateway: 10.18.20.1
  • LAN segment broadcast address: 10.18.20.255


Icemaiden Company recently experienced a malware attack and requires prompt identification of malware beacons on the network. Additionally, it is essential to isolate the infected machine from the network. John, serving as the lead incident responder for the company, guides the SOC team in their hunting efforts. Jennifer holds the position of Chief Information Security Officer..


Questions to IR/SOC from CISO :

  • What is the IP address, MAC address, and host name of the infected Windows host?
  • What is the Windows user account name of the victim on this infected Windows host?
  • What type of malware was the victim infected with?
  • Based on traffic from the pcap, where did the malware likely come from?
  • After the initial infection, what type of web page/website did the victim appear to visit?
  • Review all logs/Packets and identify the root cause for this incident.




The packets above depict numerous communications that occurred within the network. However, we aim to inspect specific packets using efficient Wireshark filters to swiftly identify attacks.


The initial queries involve identifying the IP address, MAC address, and hostname that are affected in the network. In this context, we prefer to promptly generate a statistics report for both source and destination addresses.

While checking it, we found large counts of connections to the IP address 10.18.20.97. There are around 10802 connections towards the IP 10.18.20.97 with 51 % of traffic is flowed towards this IP address.



Hunting the DHCP packets gives us additional information such as which host is infected and its MAC address. As below results shows us Source IP 10.18.20.97 with MAC 00:01:24:56:9b:cf is broadcasted and Server 10.18.20.8 tells the IP 10.18.20.97 is free and it can be used with DHCP ACK packet.



Upon examining Option 12 in the packet, we discovered that the hostname "Juanita-Work-PC" is making a request to the DHCP server. Having completed our initial set of actions, we have gathered details such as IP address, MAC address, and hostname for further investigation, suspecting the high connections we scrutinized.



Subsequently, our task is to ascertain the Windows user account name on the compromised Windows host. We can retrieve user account names within the Kerberos authentication server traffic as part of the Active Directory (AD).

Within Kerberos, the CName field holds the username undergoing authentication. By employing a Wireshark filter (kerberos.CNameString), we can examine authentications. The figure below illustrates that the victim "momia.juanita" is infected with malware.


Next questions are, what malware it is, for this we will check some alerts for this IP address 10.18.20.97 in IDS/IPS. We have an event message shows as this is Ursnif.

Let’s find the root cause like, We will put a query in Wireshark to filter out http and https requests and excluding SSDP ( Simple Service Discovery Protocol ) to reduce noise. Check below results




The results displayed above reveal the Full Request URI as http://mail[.]aol[.]com, along with the IP address "10.18.20.97." The user "mommia.juantrta" clicked on a phishing email within AOL, resulting in this infection. The subsequent inquiry is: after the infection, what type of web page or website did the victim seemingly visit? The request following mail.aol.com indicates https://secure[.]bankofamerica[.]com, where Ursnif attempts to pilfer financial data! Happy hunting!