Ursnif

Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world.

Type
Trojan
Origin
Unknown
First seen
1 January, 2014
Last seen
17 January, 2020
Also known as
Gozi
Dreambot
ISFB
Global rank
6
Week rank
12
Month rank
10
IOCs
6557
Last Seen at

What is Ursnif malware?

Ursnif, also known as Gozi is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. The malware was developed based on the leaked source code of a fairly old Gozi-ISFB trojan.

The trojan has been registered for the first time in 2014 when Gozi-ISFB code got leaked. Since then, Ursnif has been evolving and becoming more powerful, which lead it to become one of the top used banking trojans today.

General description of Ursnif

Ursnif Trojan is a dangerous malware that can collect system activity of the victims, record keystrokes, as well as keep track of network traffic and browser activity. The malware stores the data in an archive before sending it to the C2.

The malware uses malicious Microsoft Office documents to get into the users’ machine and requires macros to be activated. Once opened, the document will prompt the user into enabling macros. If the user plays along with the instruction, the malware drops a VB script into the temp directory of current user, upon which it is automatically decoded and the malicious payload is downloaded.

Some versions of Ursnif contain a macro that is programmed to check the country using the Application. International MS Office property. If the result does not correspond to a list of pre-selected countries, the malware terminates its execution.

Interestingly, the malware terminates execution if it detects that it’s being launched on a virtual machine. This precaution is implemented by hackers in order to complicate the analysis process and, hopefully, prevent the effective development of countermeasures.

Ursnif malware analysis

A video available at ANY.RUN malware analysis service allows us to see a simulation of the malware execution in a lot of detail.

ursnif gozi dreambot execution graph Figure 1: A visual process graph generated by ANY.RUN shows the lifecycle of Urnsnif

How to avoid infection by Ursnif?

The best way to stay safe from Ursnif is to make sure to keep the macros turned off and definitely not turn them on if prompted by a Microsoft Office file which was downloaded from an untrustworthy source, such as an email from the unknown sender. Following good practices as of staying safe online such as not downloading files from suspicious emails is another great way to avoid infection.

Ursnif execution process

In the case of our simulation, the execution of the malware starts when the user opens a Word or Excel file and enables the macro.

Ursnif trojan uses exploits to start legitimate software like Outlook which in turn launches cmd.exe only to spawn PowerShell. If a strike is directed at select countries, the malware checks where the victim is from during this stage. Then, PowerShell downloads and executes the final payload which is Ursnif itself. Lastly, Ursnif starts malicious activities and injects its code into the explorer.exe process.

After installation, the malware will try to inject into an active explorer.exe process to establish persistence. If the injection fails, Ursnif will launch a new svchost.exe process and inject into it instead. After that, Ursnif will proceed to hook the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. Then, the malware will begin monitoring web activity and steal the payment information as soon as the victim visits a banking or a payment webpage.

Communication with C&C

In order to prevent domain name disclosure, the malware generates the domain names locally using the Domain Generation Algorithm (DGA) instead of them being hardcoded. Uniquely, the malware gathers information for domain name generation in the DGA process by taking bits of text from popular websites.

The malware is also known to be able to execute commands received from the control server.

How to detect Ursnif using ANY.RUN?

Ursnif uses COM objects to execute the malware's payload and usually, it runs multiple iexplorer.exe processes. Knowing this information you can take a look at the process tree after a while during execution and easily determine either sample is Ursnif or not.

ursnif process tree Figure 2: Ursnif process tree

Conclusion

Being based on the source code of another malware which is already almost a decade old, Ursnif is a prime example of the fact that when it comes to trojans “old”, does not mean ineffective.

On the contrary, despite its age, this malware is capable of launching devastating cyber attacks and managed to become one of the most popular banking trojans in the world. In addition to its powerful trojan functionality, Ursnif takes active actions in order to prevent researchers from studying it. Thankfully, malware hunting services like ANY.RUN allows researchers to study this malware in-depth and respond with appropriate countermeasures.

IOCs

IP addresses
195.22.26.248
204.11.56.48
185.53.179.7
184.168.221.49
81.17.18.194
173.239.8.164
37.34.225.14
190.140.198.49
151.251.24.148
151.251.24.148
212.42.121.53
47.56.155.167
217.219.221.10
190.213.211.184
86.105.60.33
82.208.161.228
50.63.202.63
78.90.243.124
188.112.188.207
109.175.7.8
Hashes
c6cf5bb08cb44598b5d1e0c920f15036802ed4a8354600dec5372a5a2a217383
16fc805ee046ea1588d1841a252561039687e284f25af908154ebb67a76a8985
7086c4cf4a12b2875c47e70ef3fd1902c49829552c4db4ffbf9bf9a3112a811b
d7483a60a72c606b886b48e11a800fc77af60d251798b51845e84bb3904f137b
8b67aafc7d293aff31f383fb1ecbdfc534d5317cd5edb4bf42835fac457f4faf
64d26598e4167c0609dd7f42345ae601263156b23ca52db5e68fdbb8d7b728d9
5479746c9f658c99865ea1d0fb605c769f7a8e0b1ef64ae74aa08f66e88063eb
c4691cbf5dd6c7896a56af162dc7866ccec71ab7221badee796e1089be19acd7
d1fe1e36bd5b0ed12645d6e5bf175d47f13bdc164d00abee25ab9f0675a7f8d9
84b36e91505fbdfb8cf9b4f04ae8058bcfdcbcd3bb1c3a8f990f7dfff50175c2
be76a33724cbcf309fde19fe16416df9fe420bb3468bba4ffc6be375df85b175
a8ad1abfff311cef471b2dedb515c192854ea59f42acedb04a5404ba6390a62b
4997c49dc3cfaa0c22505f7933e6fdf975a3f1100df2b2f5c0d23a652e55b25e
663e6f25b541228c0555c984846e342bf801cad542414ddd222bb947dea49d56
232c8d4a53620fa6d5c296eebc014ea0cee78e54f9ac5707eefa08cf2bc29891
670f9e829877c699eaccc0b78bd60625f10c8bdaae8e44c26f650013f89f05c3
5f769d26197fc6e8d915edca7045e02eab396fe0fee1b9514d8e6be47f97c16a
79fe408370d95b795d425d59672f2f969e26ea7cf357bc5736446fc1a61b0e34
4ce4948cc513a76974a03f316f660bc387fe1bf3bb76a29ca523711e5714aed6
6fbc10987557b19e1b63d43d9c878c4fdb103f07abf67b5a7f95dcd9d1f17af4
Domains
cpmstatsart.com
point.orangeiloveyou.com
www.777seo.com
www.sharebutton.co
bigtheme.net
riyadhtf.com
www.meaningfulist.info
magicapk.com
www.nouveaukid.com
www.openyoun.world
www.fusionenterprises.biz
www.truehearthospice.info
qxq.ddns.net
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
ns1.whartontechnologies.com
customwastereceptacles.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More