Ursnif

  ursnif gozi dreambot trojan loader

Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world.

Type
Trojan
Origin
Unknown
First seen
1 January, 2014
Last seen
11 July, 2020
Also known as
Gozi
Dreambot
ISFB
Global rank
6
Week rank
9
Month rank
7
IOCs
9752
Last Seen at
11 July, 2020
Malicious activity
afterbirth.rs.zip
trojan
gozi
ursnif
dreambot
10 July, 2020
Malicious activity
45763478ad7f43aa83ebaaea28bafaac6835bec45bf8c6948cf5dd454b6e30c7
gozi
ursnif
dreambot
trojan
9 July, 2020
Malicious activity
track_num.vbs
evasion
trojan
hancitor
pony
fareit
stealer
gozi
ursnif
dreambot
9 July, 2020
Malicious activity
presentation_75698.zip
evasion
trojan
gozi
ursnif
dreambot
9 July, 2020
Malicious activity
345330
macros
macros-on-open
loader
malscr-1
trojan
gozi
ursnif
dreambot
9 July, 2020
Malicious activity
Odeca.zip
loader
trojan
gozi
ursnif
dreambot
9 July, 2020
Malicious activity
documenti_07.20.doc
macros
macros-on-open
generated-doc
loader
trojan
gozi
ursnif
dreambot
9 July, 2020
Malicious activity
Info.zip
opendir
loader
trojan
gozi
ursnif
dreambot
9 July, 2020
Malicious activity
64632.doc
trojan
gozi
ursnif
dreambot
9 July, 2020
Malicious activity
SPAM2.zip
loader
trojan
gozi
ursnif
dreambot
TRACK THEM ALL AT
Public Submissions

What is Ursnif malware?

Ursnif, also known as Gozi is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. The malware was developed based on the leaked source code of a fairly old Gozi-ISFB trojan.

The trojan has been registered for the first time in 2014 when Gozi-ISFB code got leaked. Since then, Ursnif has been evolving and becoming more powerful, which lead it to become one of the top used banking trojans today.

General description of Ursnif

Ursnif Trojan is a dangerous malware that can collect system activity of the victims, record keystrokes, as well as keep track of network traffic and browser activity. The malware stores the data in an archive before sending it to the C2.

The malware uses malicious Microsoft Office documents to get into the users’ machine and requires macros to be activated. Once opened, the document will prompt the user into enabling macros. If the user plays along with the instruction, the malware drops a VB script into the temp directory of the current user, upon which it is automatically decoded and the malicious payload is downloaded.

Some versions of Ursnif contain a macro that is programmed to check the country using the Application. International MS Office property. If the result does not correspond to a list of pre-selected countries, the malware terminates its execution.

Interestingly, the malware terminates execution if it detects that it’s being launched on a virtual machine. This precaution is implemented by hackers in order to complicate the analysis process and, hopefully, prevent the effective development of countermeasures.

Ursnif malware analysis

A video available at ANY.RUN malware analysis service allows us to see a simulation of the malware execution in a lot of detail.

ursnif gozi dreambot execution graph Figure 1: A visual process graph generated by ANY.RUN shows the lifecycle of Urnsnif

How to avoid infection by Ursnif?

The best way to stay safe from Ursnif is to make sure to keep the macros turned off and definitely not turn them on if prompted by a Microsoft Office file which was downloaded from an untrustworthy source, such as an email from the unknown sender. Following good practices as of staying safe online such as not downloading files from suspicious emails is another great way to avoid infection.

Ursnif execution process

In the case of our simulation, the execution of the malware starts when the user opens a Word or Excel file and enables the macro.

Ursnif trojan uses exploits to start legitimate software like Outlook which in turn launches cmd.exe only to spawn PowerShell. If a strike is directed at select countries, the malware checks where the victim is from during this stage. Then, PowerShell downloads and executes the final payload which is Ursnif itself. Lastly, Ursnif starts malicious activities and injects its code into the explorer.exe process.

After installation, the malware will try to inject into an active explorer.exe process to establish persistence. If the injection fails, Ursnif will launch a new svchost.exe process and inject into it instead. After that, Ursnif will proceed to hook the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. Then, the malware will begin monitoring web activity and steal the payment information as soon as the victim visits a banking or a payment webpage.

Communication with C&C

In order to prevent domain name disclosure, the malware generates the domain names locally using the Domain Generation Algorithm (DGA) instead of them being hardcoded. Uniquely, the malware gathers information for domain name generation in the DGA process by taking bits of text from popular websites.

The malware is also known to be able to execute commands received from the control server.

How to detect Ursnif using ANY.RUN?

Ursnif uses COM objects to execute the malware's payload and usually, it runs multiple iexplorer.exe processes. Knowing this information you can take a look at the process tree after a while during execution and easily determine either sample is Ursnif or not.

ursnif process tree Figure 2: Ursnif process tree

Conclusion

Being based on the source code of another malware which is already almost a decade old, Ursnif is a prime example of the fact that when it comes to trojans “old”, does not mean ineffective.

On the contrary, despite its age, this malware is capable of launching devastating cyber attacks and managed to become one of the most popular banking trojans in the world. In addition to its powerful trojan functionality, Ursnif takes active actions in order to prevent researchers from studying it. Thankfully, malware hunting services like ANY.RUN allows researchers to study this malware in-depth and respond with appropriate countermeasures.

IOCs

IP addresses
204.11.56.48
20.190.129.19
40.90.22.191
20.190.129.24
40.90.22.190
20.190.129.130
40.90.22.188
40.90.22.184
40.126.1.166
20.190.129.133
20.190.129.160
40.90.22.192
104.215.148.63
81.17.18.198
40.90.22.186
40.90.22.183
8.208.80.226
198.54.117.197
195.22.26.248
40.126.1.130
Hashes
45763478ad7f43aa83ebaaea28bafaac6835bec45bf8c6948cf5dd454b6e30c7
2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b
471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975
a66f6d5fe714527cc94af30695cbabc44dd2fc355bc8e917e77350f35b0c6852
9d9131ae9cce7035b2a391bff920691ae4b32439b79ee84278a87dbc20190b10
e0b15c5b68a21db7a86f92689c5df63d343a52e3e7b09d19f3ffbf941b32c4d1
df638bde1ffafcfb7a25fe30b631d549299f9502f23efc47fc5efaa118e96b97
a2a806804942da76a55837baf6011c0a5aff294833d464e983f37aa0d09eeb70
765ce3d6bab4deabdb55e34ed66f54b8f04f74496a011e4308dc7c307776b27b
17cfbcecb69a2601d8000c37afa4d18edcf0892982f5fa13908d864142f30ffa
70273a3a48316f382bdc1b623876f5df804295a82eecf77ff70e39c2f4970327
7bc9d1453bb84033fd82500f10db64cbf221c4286ed3eba7928249dae6d67675
46abb99506357a1c9ee8663405ac1413c200b8e852d1869789b304a003526026
de84407bfadcf3189e9a77e0f1ba5e4f79a9ba4d36f4b1052545646375139651
d3b60605f9e3bdc65f90ef42e3d6b477cbf9c1c154779a7b3146ef73d2c30590
9a3467911eaf0122aade59ef8636d005f251ef1e6fb23295bdac92376ae0fb82
f0b0d9e78ff6b73d33144d7bc0950d273dd720789540cb52e0aee1f3bde09918
434f11160ed981c96dbebfc548726b3080a497eb62519f36fee1e1bea3315dd4
18d29cde72622246d9c58e3a6494ecec51be77ceceff8560051c7b562e31efc3
f1544bd374d32ab2fbfe16b56db6448bbb5d45930c9e09757c9414c4cb83904e
Domains
192-168-100-87.abcdefghijklmnopqrstuvwxyz012345.plex.direct
isns.net
oceanlinen.com
www.1xqry.com
content.mailplus.nl
majul.com
smtp.bioaccentonline.us
yotube.com
elx01.knas.systems
www.healingherds.com
autologon.microsoftazuread-sso.com
login.windows.net
gaw.explik.at
cdn.arsis.at
rmsdocumentation.com
www.coolcdrom.com
dub2.next.a.prd.aadg.trafficmanager.net
static.tildacdn.com
px.spiceworks.com
shop.definitelykingsley.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More