Ursnif Trojan Campaign Uses Steganography and Mario

What Is It?

A new Ursnif campaign discovered by researchers at Bromium, and later reported by media, utilizes a Microsoft Excel file containing a malicious macro, Powershell and an image of the Nintendo character Mario.

There are a few noteworthy aspects of this attack, beginning with the Mario image. The image was not downloaded to be displayed, it is encoded with an obfuscated Powershell script that uses steganography. Steganography, in computing terms, is a technique that is used to hide data within the data of another file, most commonly an image file. It is an example of hiding in plain sight, as the image file containing the concealed data will still appear normal when viewed.

Also, this campaign is specifically targeted at users in Italy. The malicious Excel macro will terminate if the language is not set to Italian, as will the Powershell script that runs later in the attack chain. The attacker may have considered it humorous to use an image of Mario, an Italian-American character for a campaign specific to Italian users.

The initial Excel contains the usual request (in Italian) for the user to enable macros to execute in order to view the content. On execution, the macro deobfuscates a Powershell script, which attempts to download a portable network graphics (PNG) formatted image file from one of two hardcoded sites. The script then uses a common steganography technique to extract embedded data from the image. The extracted data is a Powershell script that uses multiple layers of obfuscation to conceal its final objective, which is to download and execute a variant of the Ursnif trojan.

The image of Mario is a 24-bit RGB PNG file. This means each pixel in the image is represented by an 8-bit value (0-255) for each of the red, green and blue components of the color which, when combined, give a total of 16.7 million possible colors. The steganography technique used here uses the lower four bits of the blue and green components to store the embedded data. The largest number the lower four bits can represent is 15, out of the maximum 8-bit value of 255. This visually translates to very minor variances in color that the human eye will struggle to discern. Additionally, the image uses a multi-colored background, which makes it harder to notice anything amiss (see Fig 1 below).

Ursnif attack uses Mario image with obfuscated Powershell script
Fig 1: Part of the Mario image zoomed

The basic attack chain here is not uncommon, an Excel file attachment with a malicious macro -> Powershell -> downloads and executes a malware payload. Targeting Italian users specifically and utilizing steganography to hide a component of the attack, and potentially evade signature-based defenses (at least until a signature is created and deployed), makes this significantly less common.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The attack vector here is an Excel attachment containing a malicious macro.

When/How Did BluVector Detect It?

One sample of the malicious Excel file and two Ursnif samples are listed in the blog entry and BluVector’s patented Machine Learning Engine (MLE) detected all three. Regression testing has shown the samples would have been detected an average of 13 months prior to their release.

All Threat Reports