New ursnif version targets italian critical infrastructures

Last malware activity that targets italy has been identified in the last hours. Probably the malicious agents detected belong to the Ursnif malware family.
As usual the infection vector consists of compromised email addresses.
In the following article I will explain the reversing steps that lead me to caught the Iocs.

Analysis

The email looks like in the picture :

The 1735-2019 Segnatura_xml.xls file appears to be attached to the email.
When opened, the Excel file looks like in the following figure:

In particular, inside the file there is a macro, which is executed when the document is opened using the WorkBook_Open() method.

The macro is composed of five methods that actually:
• check that the system in use is Italian, using the terendo() function;
• extract the second obfuscation level (using the KKtypo() andFHH() functions) from the character string present in the B2 cell 

Below is the evidence of the macro:

By removing the character string present in cell B2 of the excel sheet, I got the following command (detail):

The above command uses the WMIC (Windows Management Instrumentation Command) utility. Through the command

wmic process call create

a powershell instance is executed decompressing (inflate) a previously compressed base64 string (deflate).
The decode operation from base64 and subsequent string inflate leads to the next obfuscation level:

The evidence shown above is an array of integers mixed with some useless characters that only serve to make the deobfuscation process difficult.
Below is shown the array of integers detail that must then be transcoded from the octal numeral system form to the corresponding index char in the ASCII table.

The result of the conversion is the following text:

From the red evidence in the above image, this time the deobfuscation process still requires the use of the inflate function, preceded by base64 decoding:
Here is the result:

From the payload shown above, I’m still facing with an array of integers mixed with a set of characters and letters (-, T, a, l, d, V, q, I, H) that makes the array difficult to understand.
Subsequently the array obtained after cleaning operations is bitwise XORATED with the key 0x2e.
The result is shown below:

Once cleaned, rearranged and indented, I got the following payload:

The snippet above, reveals the action of proceeding to download the second stage IF AND ONLY IF the keyboard layout is ITALIAN.
If so, the second stage will be taken from the URL:

hxxps: //velissimilio.site/.index

Unfortunately at the time of the analysis, the URL was no longer available.

Conclusions

From the de-obfuscation and decoding type required to complete the analysis, the excel file is the DROPPER for the second stage belonging to the URSNIF malware family.
Also in this analysis the criminals’ intention has been revealed to hit exclusively Italian administrations.

IOC

hxxps://velissimilio.site/.index