Ursnif

  ursnif gozi dreambot trojan loader

Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world.

Type
Trojan
Origin
Unknown
First seen
1 January, 2014
Last seen
31 March, 2020
Also known as
Gozi
Dreambot
ISFB
Global rank
6
Week rank
3
Month rank
5
IOCs
7068
Last Seen at
31 March, 2020
Malicious activity
http://films.amishbrand.com/ncsdlszlfhk
trojan
gozi
ursnif
dreambot
31 March, 2020
Malicious activity
http://movie.timbervalleyfarm.com/hqtdkaslfeps
trojan
gozi
ursnif
dreambot
31 March, 2020
Malicious activity
aaa.zip
trojan
gozi
ursnif
dreambot
evasion
31 March, 2020
Malicious activity
aaa.zip
trojan
gozi
ursnif
dreambot
31 March, 2020
Malicious activity
http://films.amishbrand.com/oeiwtodybu
trojan
gozi
ursnif
dreambot
31 March, 2020
Malicious activity
http://movie.timbervalleyfarm.com/
trojan
gozi
ursnif
dreambot
31 March, 2020
Malicious activity
player.exe
trojan
gozi
ursnif
dreambot
30 March, 2020
Malicious activity
wGJ.txt
trojan
gozi
ursnif
30 March, 2020
Malicious activity
presentation_a7h.js
trojan
gozi
ursnif
30 March, 2020
Malicious activity
https://drive.google.com/uc?id=1Ki-mvVkq3eDrJKl6anElzsbxO9KoON8t&export=download
trojan
gozi
ursnif
TRACK THEM ALL AT
Public Submissions

What is Ursnif malware?

Ursnif, also known as Gozi is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. The malware was developed based on the leaked source code of a fairly old Gozi-ISFB trojan.

The trojan has been registered for the first time in 2014 when Gozi-ISFB code got leaked. Since then, Ursnif has been evolving and becoming more powerful, which lead it to become one of the top used banking trojans today.

General description of Ursnif

Ursnif Trojan is a dangerous malware that can collect system activity of the victims, record keystrokes, as well as keep track of network traffic and browser activity. The malware stores the data in an archive before sending it to the C2.

The malware uses malicious Microsoft Office documents to get into the users’ machine and requires macros to be activated. Once opened, the document will prompt the user into enabling macros. If the user plays along with the instruction, the malware drops a VB script into the temp directory of the current user, upon which it is automatically decoded and the malicious payload is downloaded.

Some versions of Ursnif contain a macro that is programmed to check the country using the Application. International MS Office property. If the result does not correspond to a list of pre-selected countries, the malware terminates its execution.

Interestingly, the malware terminates execution if it detects that it’s being launched on a virtual machine. This precaution is implemented by hackers in order to complicate the analysis process and, hopefully, prevent the effective development of countermeasures.

Ursnif malware analysis

A video available at ANY.RUN malware analysis service allows us to see a simulation of the malware execution in a lot of detail.

ursnif gozi dreambot execution graph Figure 1: A visual process graph generated by ANY.RUN shows the lifecycle of Urnsnif

How to avoid infection by Ursnif?

The best way to stay safe from Ursnif is to make sure to keep the macros turned off and definitely not turn them on if prompted by a Microsoft Office file which was downloaded from an untrustworthy source, such as an email from the unknown sender. Following good practices as of staying safe online such as not downloading files from suspicious emails is another great way to avoid infection.

Ursnif execution process

In the case of our simulation, the execution of the malware starts when the user opens a Word or Excel file and enables the macro.

Ursnif trojan uses exploits to start legitimate software like Outlook which in turn launches cmd.exe only to spawn PowerShell. If a strike is directed at select countries, the malware checks where the victim is from during this stage. Then, PowerShell downloads and executes the final payload which is Ursnif itself. Lastly, Ursnif starts malicious activities and injects its code into the explorer.exe process.

After installation, the malware will try to inject into an active explorer.exe process to establish persistence. If the injection fails, Ursnif will launch a new svchost.exe process and inject into it instead. After that, Ursnif will proceed to hook the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. Then, the malware will begin monitoring web activity and steal the payment information as soon as the victim visits a banking or a payment webpage.

Communication with C&C

In order to prevent domain name disclosure, the malware generates the domain names locally using the Domain Generation Algorithm (DGA) instead of them being hardcoded. Uniquely, the malware gathers information for domain name generation in the DGA process by taking bits of text from popular websites.

The malware is also known to be able to execute commands received from the control server.

How to detect Ursnif using ANY.RUN?

Ursnif uses COM objects to execute the malware's payload and usually, it runs multiple iexplorer.exe processes. Knowing this information you can take a look at the process tree after a while during execution and easily determine either sample is Ursnif or not.

ursnif process tree Figure 2: Ursnif process tree

Conclusion

Being based on the source code of another malware which is already almost a decade old, Ursnif is a prime example of the fact that when it comes to trojans “old”, does not mean ineffective.

On the contrary, despite its age, this malware is capable of launching devastating cyber attacks and managed to become one of the most popular banking trojans in the world. In addition to its powerful trojan functionality, Ursnif takes active actions in order to prevent researchers from studying it. Thankfully, malware hunting services like ANY.RUN allows researchers to study this malware in-depth and respond with appropriate countermeasures.

IOCs

IP addresses
204.11.56.48
198.54.117.218
62.109.31.180
198.54.117.212
84.247.51.8
84.247.51.8
52.58.28.12
185.158.250.29
141.8.193.236
195.22.26.248
198.54.117.210
58.158.177.102
83.166.243.248
108.59.12.98
84.38.180.166
84.38.180.166
40.90.247.210
40.76.4.15
20.45.1.107
184.168.221.46
Hashes
949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820
515437a6721142081c0706dbb18d11f6b294490389f688addda41ced8301c094
feaf2c50fd7bf14d8cac81a50f7da9990241b2e35c4788971fd273962bbdc50c
a563d0a7db4ba096220dfade97270392a4e529c967b28072243b0860df7ed322
378c106cf661fae6c247d3ad9db7321c0d5e545b7f54ccba784abcc5e73f5dc7
49d702dcfce2329dbf10dd7d6c703b581b3a83b19f123c9adc89641f16ecefce
aeef2b22c713e765d8214e08f3d9860e1e525fd1e571c6416bf7a33e27f5a9d8
57823dc1f16a7c5d3a357d9b76245fcdaa377da3720edcdfd2ebe454d4bb487e
6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c
64ff78d022f57742496317e81efd6d1c8188301c3582cc4ba98e5055f446aead
6bc999ed83c2561894fe5ea54386af959a9a5602fcb828af68109ffbcda4ee7c
3f59a331cb3366949ee26b2dbb103044e20cefbc7f10cb059ce54614c2ceb4ae
8066acebf84e0e8286312dbe1a1522e696b33d15478a7bda27641fab082efc7c
7d4770091db7e0f63ceb05dff2ee8e9d4773e619d9e7f457d20ec3bd374b0c8d
4c143dd60e95d86a7ade202861ec65b5cd4e5f6e164bfa7d5c6ed2bc50511c38
6b4bab8f4b64142f6a9ca63b79abe59372daae4a90a181278c8598bc6bfca604
5a335bcb13cb8f9ddec21170957e0733d161deb2c53731325fe60526268dc6b9
7f818ce6e526f4375444462d96572d35d2f893195324b1822c5803c8198f303e
2cfa8c1fefe0533df33bfc2b5293ba37e963d69844103c67a27dafddf2c6a22c
5bfc815ab88eb869dce3367acc66aa6f6b035baef0c43e007ae26dfc3e7b77bf
Domains
link.philippeschellekens.com
www.healingherds.com
loadkaklokja.xyz
avira.com
myleftheart.com
musk-giveaway.com
xoso.thememanga.com
allfontshere.press
milkelse.net
meatsure.net
headbelow.net
cookiescriptcdn.pro
www.tiltmediaproductions.com
online-sale24.com
www.studiofourteen40.com
www.operationsbasednavigation.com
coreupdate.msoftupdates.com
cthree.msoftupdates.com
ctwo.msoftupdates.com
cone.msoftupdates.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More