Ursnif

Ursnif, also known as Gozi is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. The malware was developed based on the leaked source code of a fairly old Gozi-ISFB trojan.

  • Type
    Trojan
  • Origin
    Unknown
  • First seen
    1 January, 2014
  • Last seen
    21 November, 2019
Also known as
Gozi
Dreambot
ISFB
Global rank
6
Week rank
10
Month rank
5
IOCs
3604

What is Ursnif malware?

Ursnif, also known as Gozi is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. The malware was developed based on the leaked source code of a fairly old Gozi-ISFB trojan.

The virus has been registered for the first time in 2014 when Gozi-ISFB code got leaked. Since then, Ursnif has been evolving and becoming more powerful, which lead it to become one of the top used banking trojans today.

General description of Ursnif

Ursnif is a dangerous malware that can collect system activity of the victims, record keystrokes, as well as keep track of network traffic and browser activity. The malware stores the data in an archive before sending it to the C2.

The malware uses malicious Microsoft Office documents to get into the users’ machine and requires macros to be activated. Once opened, the document will prompt the user into enabling macros. If the user plays along with the instruction, the malware drops a VB script into the temp directory of current user, upon which it is automatically decoded and the malicious payload is downloaded.

Some versions of Ursnif contain a macro that is programmed to check the country using the Application. International MS Office property. If the result does not correspond to a list of pre-selected countries, the malware terminates its execution.

Interestingly, the malware terminates execution if it detects that it’s being launched on a virtual machine. This precaution is implemented by hackers in order to complicate the analysis process and, hopefully, prevent the effective development of countermeasures.

Ursnif malware analysis

A video available at ANY.RUN malware analysis service allows us to see a simulation of the malware execution in a lot of detail.

ursnif gozi dreambot execution graph Figure 1: A visual process graph generated by ANY.RUN shows the lifecycle of Urnsnif

How to avoid infection by Ursnif?

The best way to stay safe from Ursnif is to make sure to keep the macros turned off and definitely not turn them on if prompted by a Microsoft Office file which was downloaded from an untrustworthy source, such as an email from the unknown sender. Following good practices as of staying safe online such as not downloading files from suspicious emails is another great way to avoid infection.

Ursnif execution process

In the case of our simulation, the execution of the malware starts when the user opens a Word or Excel file and enables the macro.

Ursnif uses exploits to start legitimate software like Outlook which in turn launches cmd.exe only to spawn PowerShell. If a strike is directed at select countries, the malware checks where the victim is from during this stage. Then, PowerShell downloads and executes the final payload which is Ursnif itself. Lastly, Ursnif starts malicious activities and injects its code into the explorer.exe process.

After installation, the malware will try to inject into an active explorer.exe process to establish persistence. If the injection fails, Ursnif will launch a new svchost.exe process and inject into it instead. After that, Ursnif will proceed to hook the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. Then, the malware will begin monitoring web activity and steal the payment information as soon as the victim visits a banking or a payment webpage.

Communication with C&C

In order to prevent domain name disclosure, the malware generates the domain names locally using the Domain Generation Algorithm (DGA) instead of them being hardcoded. Uniquely, the malware gathers information for domain name generation in the DGA process by taking bits of text from popular websites.

The malware is also known to be able to execute commands received from the control server.

How to detect Ursnif using ANY.RUN?

Ursnif uses COM objects to execute the malware's payload and usually, it runs multiple iexplorer.exe processes. Knowing this information you can take a look at the process tree after a while during execution and easily determine either sample is Ursnif or not.

ursnif process tree Figure 2: Ursnif process tree

Conclusion

Being based on the source code of another malware which is already almost a decade old, Ursnif is a prime example of the fact that when it comes to trojans “old”, does not mean ineffective.

On the contrary, despite its age, this malware is capable of launching devastating cyber attacks and managed to become one of the most popular banking trojans in the world. In addition to its powerful trojan functionality, Ursnif takes active actions in order to prevent researchers from studying it. Thankfully, malware hunting services like ANY.RUN allows researchers to study this malware in-depth and respond with appropriate countermeasures.

IOCs

IP addresses
184.168.221.60
173.239.8.164
198.54.117.218
85.187.184.182
47.254.233.86
91.139.196.113
185.158.248.101
45.132.19.167
212.42.121.53
198.54.117.212
198.54.117.215
198.54.117.210
162.255.119.37
184.168.221.52
186.87.135.97
13.64.25.102
89.47.94.113
81.88.57.68
5.56.73.146
45.67.231.81
Hashes
9aef133e88d539f382b89d57fbcc8b51ded80f06cab6ca5a87f6fccaf2d6a7a2
998dba41a18c68ff4cb5d43a8b62d687aa5474a135f4f4b9490b390de50c1f17
3b3db3a59b862e75c3f121011ad115f0beaa34bf437b12152194ccb7489891e2
f3e277db1d028b9677594bbe8be3addf0fd6f511a078aa6bf4cc4293b506664d
6fbc10987557b19e1b63d43d9c878c4fdb103f07abf67b5a7f95dcd9d1f17af4
7c35ac9b94a6e3cbcadf70b8c6d42c0a8385bb6b58953db4adec28e8eee8d120
b179f93d72054f05fb1e98ddd766610bebc2762e45e563c339d909baa1a29bcb
9a749db6da16fc5a8039ef3e979d39239db9a9d8eda4c612765566485e309096
905e4ed51fee8b390dc8740f2ce97c79748c654510c42bb6aec9b19e57e21434
0bd2325b46fdb7bfc9b7c021ca0172340ea789dbac117ce14ff26a5b0d8d435f
2579b6e968ca71e28583e6c194b74c52fe49ab6899257652ec0ccd5bd3cc198a
9863564d0c1b510d5d32d3775e3f79cad49b5ce1ca06e64e41fa72c133f6e18b
43573e6e55ad3128aff013290fb11a1c0a012aca70aa88db7ef174b5ff051cc1
4558e1259e144fba3d87088b9ba89114b3106b8d6eca06376221b9bbb97cebf7
f781eeaca1730a4447f440cb2c4560178d8ac97e945ccd7388fc817326c2392a
b767b4aca94928449abad99ccfde26032716192837797bd1efcdf10680968074
33915a0bdbb04c02d3ec99daf4444d307e5b93af641d4d250c4a89cfd6101622
d1606d8b4e143e3e62231b844f54ac8c6a380295b873e73c38d9dd869d45e0a5
596ae497b50fa4c0c54391911d974870de7b6ddc7e1b6364d01da766994556b6
0f6b82565d06bb056e4f7d94f70c8bec5bb784ac22a72e4971c332248b616731
Domains
cssrvsync.com
ncaa-rules.com
www.healyourchakras.com
www.bambootoyou.com
majul.com
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
isns.net
intraders-support.at
w8.wensa.at
elx01.knas.systems
anumal-planet.at
zxciuniqhweizsds.com
zonealarm.bit
carder.bit
ransomware.bit
specialtravels.org
gangfans.org
primetimer.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More