What is Ursnif malware?
Ursnif, also known as Gozi is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. The malware was developed based on the leaked source code of a fairly old Gozi-ISFB trojan.
The trojan has been registered for the first time in 2014 when Gozi-ISFB code got leaked. Since then, Ursnif has been evolving and becoming more powerful, which lead it to become one of the top used banking trojans today.
General description of Ursnif
Ursnif Trojan is a dangerous malware that can collect system activity of the victims, record keystrokes, as well as keep track of network traffic and browser activity. The malware stores the data in an archive before sending it to the C2.
The malware uses malicious Microsoft Office documents to get into the users’ machine and requires macros to be activated. Once opened, the document will prompt the user into enabling macros. If the user plays along with the instruction, the malware drops a VB script into the temp directory of the current user, upon which it is automatically decoded and the malicious payload is downloaded.
Some versions of Ursnif contain a macro that is programmed to check the country using the Application. International MS Office property. If the result does not correspond to a list of pre-selected countries, the malware terminates its execution.
Interestingly, the malware terminates execution if it detects that it’s being launched on a virtual machine. This precaution is implemented by hackers in order to complicate the analysis process and, hopefully, prevent the effective development of countermeasures.
Ursnif malware analysis
A video available at ANY.RUN malware analysis service allows us to see a simulation of the malware execution in a lot of detail.
Figure 1: A visual process graph generated by ANY.RUN shows the lifecycle of Urnsnif
How to avoid infection by Ursnif?
The best way to stay safe from Ursnif is to make sure to keep the macros turned off and definitely not turn them on if prompted by a Microsoft Office file which was downloaded from an untrustworthy source, such as an email from the unknown sender. Following good practices as of staying safe online such as not downloading files from suspicious emails is another great way to avoid infection.
Ursnif execution process
In the case of our simulation, the execution of the malware starts when the user opens a Word or Excel file and enables the macro.
Ursnif trojan uses exploits to start legitimate software like Outlook which in turn launches cmd.exe only to spawn PowerShell. If a strike is directed at select countries, the malware checks where the victim is from during this stage. Then, PowerShell downloads and executes the final payload which is Ursnif itself. Lastly, Ursnif starts malicious activities and injects its code into the explorer.exe process.
After installation, the malware will try to inject into an active explorer.exe process to establish persistence. If the injection fails, Ursnif will launch a new svchost.exe process and inject into it instead. After that, Ursnif will proceed to hook the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. Then, the malware will begin monitoring web activity and steal the payment information as soon as the victim visits a banking or a payment webpage.
Communication with C&C
In order to prevent domain name disclosure, the malware generates the domain names locally using the Domain Generation Algorithm (DGA) instead of them being hardcoded. Uniquely, the malware gathers information for domain name generation in the DGA process by taking bits of text from popular websites.
The malware is also known to be able to execute commands received from the control server.
How to detect Ursnif using ANY.RUN?
Ursnif uses COM objects to execute the malware's payload and usually, it runs multiple iexplorer.exe processes. Knowing this information you can take a look at the process tree after a while during execution and easily determine either sample is Ursnif or not.
Figure 2: Ursnif process tree
Conclusion
Being based on the source code of another malware which is already almost a decade old, Ursnif is a prime example of the fact that when it comes to trojans “old”, does not mean ineffective.
On the contrary, despite its age, this malware is capable of launching devastating cyber attacks and managed to become one of the most popular banking trojans in the world. In addition to its powerful trojan functionality, Ursnif takes active actions in order to prevent researchers from studying it. Thankfully, malware hunting services like ANY.RUN allows researchers to study this malware in-depth and respond with appropriate countermeasures.