Ursnif

Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world.

Type
Trojan
Origin
Unknown
First seen
1 January, 2014
Last seen
26 January, 2023
Also known as
Gozi
Dreambot
ISFB
Global rank
11
Week rank
23
Month rank
27
IOCs
45783
Last Seen at

What is Ursnif malware?

Ursnif, also known as Gozi, is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. The malware was developed based on the leaked source code of a fairly old Gozi-ISFB trojan.

The trojan was registered for the first time in 2014 when the Gozi-ISFB code got leaked. Since then, Ursnif has been evolving and becoming more powerful, which lead it to become one of the top used banking trojans today.

General description of Ursnif trojan

Ursnif Trojan is a dangerous malware that can collect the system activity of the victims, record keystrokes, and keep track of network traffic and browser activity. The malware stores the data in an archive before sending it to the C2.

The malware uses malicious Microsoft Office documents to get into the users’ machine and requires macros to be activated. Once opened, the document will prompt the user to enable macros. If the user plays along with the instruction, the malware drops a VB script into the temp directory of the current user, upon which it is automatically decoded, and the malicious payload is downloaded.

According to the analysis, some versions of Ursnif contain a macro that is programmed to check the country using the Application. International MS Office property. If the result does not correspond to a list of pre-selected countries, the malware terminates its execution.

Interestingly, the malware terminates execution if it detects that it’s being launched on a virtual machine. Hackers implement this precaution technique in order to complicate the analysis process and, hopefully, prevent the effective development of countermeasures.

Ursnif malware analysis

A video is available at ANY.RUN malware analysis service allows us to see a simulation of the malware execution in a lot of detail. YOu can also investigate other malware like Hawkeye or Raccoon.

ursnif gozi dreambot execution graph Figure 1: A visual process graph generated by ANY.RUN shows the lifecycle of Urnsnif

How to avoid infection by Ursnif?

The best way to stay safe from Ursnif is to keep the macros turned off and not turn them on if prompted by a Microsoft Office file downloaded from an untrustworthy source, such as an email from the unknown sender. In addition, following good techniques of staying safe online such as not downloading files from suspicious emails, is another great way to avoid infection.

Ursnif execution process

In the case of our simulation, the execution of the malware starts when the user opens a Word or Excel file and enables the macro. Ursnif uses the browser's COM object to connect to its C2 server and receive additional data.

Based on the analysis, Ursnif trojan uses exploits to start legitimate software like Outlook, which in turn launches cmd.exe only to spawn a PowerShell script. If a strike is directed at select countries, the malware checks where the victim is from during this stage. Then, the PowerShell script downloads and executes the final payload, which is Ursnif itself. Lastly, the loader starts malicious activities and injects its code into the explorer.exe process.

After installation, the malware will try to inject into an active explorer.exe process to establish persistence. If the injection fails, Ursnif will launch a new svchost.exe process and will inject itself instead. this technique appears to be a useful pointer for detection. After that, Ursnif will hook the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. The loader uses the browsers' COM object to communicate to its C2 server. Then, the malware will begin monitoring web activity and steal the payment information as soon as the victim visits a banking or a payment webpage. Then Ursnif sends collected data to a C2 server via the IE COM object.

Communication with C&C

In order to prevent domain name disclosure, the malware generates the domain names locally using the technique of the Domain Generation Algorithm (DGA) instead of them being hardcoded. Uniquely, the malware gathers information for domain name generation in the DGA process by taking bits of text from popular websites. If you decrypt the URL in the script, you may get the data sent to the C2 server.

The malware is also known to be able to execute commands received from the control server.

How to detect Ursnif using ANY.RUN?

Ursnif uses COM objects to execute the malware's payload, and usually, it runs multiple iexplorer.exe processes. The loader creates a COM object that is a hidden API function. Knowing this information, take a look at the process tree after a while during execution, and determine either sample is Ursnif or not. Check the script to find out if a suspicious URL corresponds to malware activity.

ursnif process tree Figure 2: Ursnif process tree

Conclusion

Based on the source code of another malware that is already almost a decade old, Ursnif is a prime example of the fact that “old” does not mean ineffective when it comes to trojans.

On the contrary, despite its age, this malware is capable of launching devastating cyber attacks and managed to become one of the most popular banking trojans in the world. In addition to its powerful trojan functionality, the loader takes active actions to prevent researchers from studying it. Thankfully, malware hunting services like ANY.RUN allows researchers to study this malware in-depth and respond with appropriate countermeasures.

IOCs

IP addresses
62.173.154.224
190.147.189.122
54.177.212.176
141.94.176.124
51.89.115.213
162.255.119.93
192.64.119.244
173.232.146.172
185.158.248.143
20.190.129.24
124.109.61.160
52.139.84.159
192.42.116.41
185.53.179.7
194.76.225.112
45.95.168.70
46.20.33.219
187.190.48.60
79.110.52.244
45.132.18.126
Hashes
96abbcb6f3a8f73e0f86577bff0936362ddf339c47803b99ad9eb3b48fe956d2
5d6f1484f6571282790d64821429eeeadee71ba6b6d566088f58370634d2c579
2230e68172e67d6e672b4bed35664fbbd949d188fef89a1c4204acaa6cb8c45c
b91397898d42689e5c6ee4bf9834d29945dbd6c3b0855128641cecb25844d877
1a79df6101373a31304f34278455f365b04a9aa60fc40b46119a134746e0a85e
0be5c7590fc306a9fe4a50e54906c2fbf1942b059af29c4a3ea8495ab20f9a9c
1d499ec71aea2f8df3af51d2b38a32bc576e86067312a09ca553b83e66b23eb5
f9aa16739f6abd1b313690e24c15b5d958e5cda35fd8bccfad3b7c7eb5ebc74e
ff1888ecd5ec5fde12ce5b6ad4e38d589dbb825bc16018ac8abe6405824d9400
0bb6252f63c48ac085396dcbbac497f62ef59215f587ea298bff5ab8b6a367c5
65b5058f4f9db8a78c0454ee3001fd93df2616f4c247c7bd316fa25ec4cdcb60
877a84596c599d15329d1ad02562434ec54425af14c516f2c5f1a410149ce93d
b43477f47c385bafdba8ad86f3dc7f01b2ee6076bcc1eb53d3d5219e2952cc9d
0038cc177057f924cde8a5250f62ef7ba3b40d6442faa83c7807780c7dbf15ef
b56043cc20c91f39773e23f2e34612cf4453df9c650b8014b756dffa850b009e
ca81e59ee05627070f6a262bde7a2e7cdf49b015a8e0e36a68601edfce40c42a
831ab9985f48fa2ad45da96b2dfba5eff98f4b18ba10c0ce12c8b3ffa687cd01
15628c6d977dd63f2339623e362ddff40a4ee0dbd59415d0ddb5c4b3cfab02b9
7502737428dc3f1820c3292abcd08748b56bc0e644dc665e56e053ab3866ae29
f0b465a712cebb5906d45724f884fa0e43cb7cbc954babbad0f1d676af2db479
Domains
cloudflare.hcaptcha.com
surl.li
hosting.miarroba.info
t.netcatkit.com
www.gnu.org
verify.ccleaner.com
vcctggqm3t.dattolocal.net
zefoy.com
booking.msg.bluhotels.com
booking.msg.bluhotels.com
0.pool.ntp.org
www.tm.a.prd.aadg.trafficmanager.net
ex3mall.com
freeshmex.at
fresherlights.com
uaery.top
gayworld.at
winnlinne.com
derioswinf.org
azd.at

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy