Ursnif

Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world.

Type
Trojan
Origin
Unknown
First seen
1 January, 2014
Last seen
4 October, 2022
Also known as
Gozi
Dreambot
ISFB
Global rank
10
Week rank
22
Month rank
22
IOCs
43838

What is Ursnif malware?

Ursnif, also known as Gozi, is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. The malware was developed based on the leaked source code of a fairly old Gozi-ISFB trojan.

The trojan was registered for the first time in 2014 when the Gozi-ISFB code got leaked. Since then, Ursnif has been evolving and becoming more powerful, which lead it to become one of the top used banking trojans today.

General description of Ursnif trojan

Ursnif Trojan is a dangerous malware that can collect the system activity of the victims, record keystrokes, and keep track of network traffic and browser activity. The malware stores the data in an archive before sending it to the C2.

The malware uses malicious Microsoft Office documents to get into the users’ machine and requires macros to be activated. Once opened, the document will prompt the user to enable macros. If the user plays along with the instruction, the malware drops a VB script into the temp directory of the current user, upon which it is automatically decoded, and the malicious payload is downloaded.

According to the analysis, some versions of Ursnif contain a macro that is programmed to check the country using the Application. International MS Office property. If the result does not correspond to a list of pre-selected countries, the malware terminates its execution.

Interestingly, the malware terminates execution if it detects that it’s being launched on a virtual machine. Hackers implement this precaution technique in order to complicate the analysis process and, hopefully, prevent the effective development of countermeasures.

Ursnif malware analysis

A video is available at ANY.RUN malware analysis service allows us to see a simulation of the malware execution in a lot of detail. YOu can also investigate other malware like Hawkeye or Raccoon.

ursnif gozi dreambot execution graph Figure 1: A visual process graph generated by ANY.RUN shows the lifecycle of Urnsnif

How to avoid infection by Ursnif?

The best way to stay safe from Ursnif is to keep the macros turned off and not turn them on if prompted by a Microsoft Office file downloaded from an untrustworthy source, such as an email from the unknown sender. In addition, following good techniques of staying safe online such as not downloading files from suspicious emails, is another great way to avoid infection.

Ursnif execution process

In the case of our simulation, the execution of the malware starts when the user opens a Word or Excel file and enables the macro. Ursnif uses the browser's COM object to connect to its C2 server and receive additional data.

Based on the analysis, Ursnif trojan uses exploits to start legitimate software like Outlook, which in turn launches cmd.exe only to spawn a PowerShell script. If a strike is directed at select countries, the malware checks where the victim is from during this stage. Then, the PowerShell script downloads and executes the final payload, which is Ursnif itself. Lastly, the loader starts malicious activities and injects its code into the explorer.exe process.

After installation, the malware will try to inject into an active explorer.exe process to establish persistence. If the injection fails, Ursnif will launch a new svchost.exe process and will inject itself instead. this technique appears to be a useful pointer for detection. After that, Ursnif will hook the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. The loader uses the browsers' COM object to communicate to its C2 server. Then, the malware will begin monitoring web activity and steal the payment information as soon as the victim visits a banking or a payment webpage. Then Ursnif sends collected data to a C2 server via the IE COM object.

Communication with C&C

In order to prevent domain name disclosure, the malware generates the domain names locally using the technique of the Domain Generation Algorithm (DGA) instead of them being hardcoded. Uniquely, the malware gathers information for domain name generation in the DGA process by taking bits of text from popular websites. If you decrypt the URL in the script, you may get the data sent to the C2 server.

The malware is also known to be able to execute commands received from the control server.

How to detect Ursnif using ANY.RUN?

Ursnif uses COM objects to execute the malware's payload, and usually, it runs multiple iexplorer.exe processes. The loader creates a COM object that is a hidden API function. Knowing this information, take a look at the process tree after a while during execution, and determine either sample is Ursnif or not. Check the script to find out if a suspicious URL corresponds to malware activity.

ursnif process tree Figure 2: Ursnif process tree

Conclusion

Based on the source code of another malware that is already almost a decade old, Ursnif is a prime example of the fact that “old” does not mean ineffective when it comes to trojans.

On the contrary, despite its age, this malware is capable of launching devastating cyber attacks and managed to become one of the most popular banking trojans in the world. In addition to its powerful trojan functionality, the loader takes active actions to prevent researchers from studying it. Thankfully, malware hunting services like ANY.RUN allows researchers to study this malware in-depth and respond with appropriate countermeasures.

IOCs

IP addresses
172.67.149.13
93.94.199.139
62.173.154.224
190.147.189.122
5.62.38.208
54.177.212.176
54.38.220.85
5.79.79.212
84.200.110.123
141.94.176.124
51.89.115.213
185.53.178.7
31.41.44.27
162.255.119.93
192.64.119.244
188.114.96.15
212.175.62.36
173.232.146.172
217.107.219.142
185.189.151.35
Hashes
1056ea3dad265dd554362bc0bd67f08fa2b9f3e5839e6e4fb197831a15c8acef
c0e28d4e88c59688657c839c344e6c1289002ef0ba461ebbf3cd4b75949312e9
5a8f5497f864beac188b72f77b22e1cbc1ecbb476e53c14403bd5a69515a2670
eb0a49f46cb50fed3ff0c1ea5062f94e6baaf367775500af122cd48aa7b4c1ea
06463378ae58ac721a6129ca3e85e743cd65adb9e636ed95fb2c3215c2c9c754
3087a86f6a90a4f8f485023cb848815ba473e607ccb96b180839cdde847566d8
ed0c5f836b3b54eefafcb1cc05571c27d294c50fba036e50e030a5189735f6dd
9f3afef4b3a589c4685f39d887725a664ec0fe78091069550402365e589f9d22
e61bee46b1b943412d7c2342ea1fa52635606105a8ec4f2341ae66acc2121671
74f057a1b3ebd62b8a352f709716c4eac4df8503a3d7aace8f46ea6aa998b02b
2231ea447f6f794fae6a54479627112ebba77dd276402f628fbe8b2ba4ec372f
53619fe192047617262d8bfd02df432156ad01896129785240e20339a0fbcd7a
eec4b7acbf2659d738179784abee9009268ab135b90a19ec326ca3d4359dd014
e673eed04bf609e9fe34d7129db5f8df5faf941cc741c9fbcda12df828dcaeb0
bd9eb71baa0d28bff80cbfa742346aa8f6d08ac463ce85bd97b9842aa6a2bbcb
a650279899a57cbf1e21d1e481bb02e10715df746f987999a67253ae8390c4d5
b1dfe684b1f75e3b5ae544c82baa9183a1f7e886cf68ff16d21fd030482af1a2
de51bae08fd7318c988ef54511b5c08d8c3d9bbb2fc03d76d97116a79afb9e81
104e6094ef239aae7e4317433e868b67108b8157627dc222f996cb087795334f
bd8aa280646a2b601ccbd5cec125d51646624d34005eb7db56da6b70fda821cb
Domains
cloudflare.hcaptcha.com
3t9.at
autologon.microsoftazuread-sso.com
cm.adskeeper.com
c.aviationweek.com
www.tm.a.prd.aadg.trafficmanager.net
derioswinf.org
azd.at
derweekge.com
timetogof.at
acacaca.org
abababa.org
rgyui.top
zfko.org
bahninfo.at
ugll.org
hopexmder.net
cabrioxmdes.at
colgefine.at
hanfinvest.at

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More