Ursnif

  ursnif gozi dreambot trojan loader

Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world.

Type
Trojan
Origin
Unknown
First seen
1 January, 2014
Last seen
31 July, 2021
Also known as
Gozi
Dreambot
ISFB
Global rank
6
Week rank
13
Month rank
9
IOCs
18890
Last Seen at
28 July, 2021
Malicious activity
mental.dll
trojan
gozi
ursnif
dreambot
28 July, 2021
Malicious activity
https://181.137.131.157
trojan
gozi
ursnif
dreambot
21 July, 2021
Malicious activity
4d929f61b964a7683ff3f2cea3a79f3f240c199a3593660620a331d8d8e80afc
trojan
gozi
ursnif
dreambot
20 July, 2021
Malicious activity
d80dd14a7657d0bfb3714c5fed12685f9f875f1903044975999f4b98f2c4b99d
trojan
gozi
ursnif
dreambot
blacknet
14 July, 2021
Malicious activity
156.exe
trojan
gozi
ursnif
dreambot
12 July, 2021
Malicious activity
info_55622.xlsb
macros40
loader
trojan
gozi
ursnif
dreambot
10 July, 2021
Malicious activity
rsm2.7z
trojan
ramnit
gozi
ursnif
evasion
stealer
10 July, 2021
Malicious activity
rsm2.7z
trojan
loader
rat
remcos
gozi
ursnif
dreambot
evasion
stealer
ransomware
troldesh
shade
ramnit
9 July, 2021
Malicious activity
d7b.dll
trojan
gozi
ursnif
dreambot
5 July, 2021
Malicious activity
apiMM1M1.exe
trojan
gozi
ursnif
evasion
dreambot
stealer
TRACK THEM ALL AT
Public Submissions

What is Ursnif malware?

Ursnif, also known as Gozi, is one of the most widely spread banking trojans – it is aimed at stealing banking credentials and usually targets corporate victims. The malware was developed based on the leaked source code of a fairly old Gozi-ISFB trojan.

The trojan was registered for the first time in 2014 when the Gozi-ISFB code got leaked. Since then, Ursnif has been evolving and becoming more powerful, which lead it to become one of the top used banking trojans today.

General description of Ursnif

Ursnif Trojan is a dangerous malware that can collect the system activity of the victims, record keystrokes, and keep track of network traffic and browser activity. The malware stores the data in an archive before sending it to the C2.

The malware uses malicious Microsoft Office documents to get into the users’ machine and requires macros to be activated. Once opened, the document will prompt the user to enable macros. If the user plays along with the instruction, the malware drops a VB script into the temp directory of the current user, upon which it is automatically decoded, and the malicious payload is downloaded.

Some versions of Ursnif contain a macro that is programmed to check the country using the Application. International MS Office property. If the result does not correspond to a list of pre-selected countries, the malware terminates its execution.

Interestingly, the malware terminates execution if it detects that it’s being launched on a virtual machine. Hackers implement this precaution in order to complicate the analysis process and, hopefully, prevent the effective development of countermeasures.

Ursnif malware analysis

A video available at ANY.RUN malware analysis service allows us to see a simulation of the malware execution in a lot of detail.

ursnif gozi dreambot execution graph Figure 1: A visual process graph generated by ANY.RUN shows the lifecycle of Urnsnif

How to avoid infection by Ursnif?

The best way to stay safe from Ursnif is to keep the macros turned off and not turn them on if prompted by a Microsoft Office file downloaded from an untrustworthy source, such as an email from the unknown sender. In addition, following good practices of staying safe online such as not downloading files from suspicious emails, is another great way to avoid infection.

Ursnif execution process

In the case of our simulation, the execution of the malware starts when the user opens a Word or Excel file and enables the macro.

Ursnif trojan uses exploits to start legitimate software like Outlook, which in turn launches cmd.exe only to spawn PowerShell. If a strike is directed at select countries, the malware checks where the victim is from during this stage. Then, PowerShell downloads and executes the final payload, which is Ursnif itself. Lastly, Ursnif starts malicious activities and injects its code into the explorer.exe process.

After installation, the malware will try to inject into an active explorer.exe process to establish persistence. If the injection fails, Ursnif will launch a new svchost.exe process and inject into it instead. After that, Ursnif will hook the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. Then, the malware will begin monitoring web activity and steal the payment information as soon as the victim visits a banking or a payment webpage.

Communication with C&C

In order to prevent domain name disclosure, the malware generates the domain names locally using the Domain Generation Algorithm (DGA) instead of them being hardcoded. Uniquely, the malware gathers information for domain name generation in the DGA process by taking bits of text from popular websites.

The malware is also known to be able to execute commands received from the control server.

How to detect Ursnif using ANY.RUN?

Ursnif uses COM objects to execute the malware's payload, and usually, it runs multiple iexplorer.exe processes. Knowing this information, you can take a look at the process tree after a while during execution and easily determine either sample is Ursnif or not.

ursnif process tree Figure 2: Ursnif process tree

Conclusion

Based on the source code of another malware that is already almost a decade old, Ursnif is a prime example of the fact that “old” does not mean ineffective when it comes to trojans.

On the contrary, despite its age, this malware is capable of launching devastating cyber attacks and managed to become one of the most popular banking trojans in the world. In addition to its powerful trojan functionality, Ursnif takes active actions to prevent researchers from studying it. Thankfully, malware hunting services like ANY.RUN allows researchers to study this malware in-depth and respond with appropriate countermeasures.

IOCs

IP addresses
20.73.194.208
51.124.78.146
23.202.231.167
23.202.231.167
204.11.56.48
58.158.177.102
198.54.117.212
74.220.199.6
65.55.44.109
162.255.119.184
81.17.18.194
181.137.131.157
198.54.117.217
198.54.117.210
13.224.193.50
104.215.148.63
185.228.233.17
40.112.72.205
35.205.61.67
184.24.20.30
Hashes
45efeab42297dcbb8c90617857c3285d54300c42067d2d97a6b5c81c309608a5
59f4a4165a014326526a1c9e8bf6a7730f0ed81ba020ab3f7e130b55deed6abf
d403c9a7f0a68755b906c4890787db30c209c919932155e6cf4f0e944177be66
ed79b8b5c926cd8e39171c45ecdf306893b224e4f4b9b8982f5e5febfa3708c6
1982f2086a0e502def7c45750f4c499b342e88d12842258b800fc47b30b6c2e5
76c8a9dbff9b571500729611595f1a1bce8dab543922d731c3bb42af5477f517
2e0b219c5ac3285a08e126f11c07ea3ac60bc96d16d37c2dc24dd8f68c492a74
9945192364ed4ae21420e21e8969e5b39abc0f2b2a6102192d2476641d145761
dabc3a61eea1acfc03f122125368407f594368f52e07e1b9b83abd431cbd2db7
5f80030ad1a8501c0481e15d266068031ca7c73c001e66d8df9a7b55b6059143
5ad3c5f835c617685d862367dbc0aa09c7bdaf77ccfffb1e664c3a20f0a48d7f
284207cc43d35eedfec82a381466336bd8b05a80bd36daed6258d3165b5afd7d
a5373371baba299242bb7bcdceb621a5ec950ab01cfeed4884576c3738403583
9ff66b8188371c6ef751637d725cf4588aad819ac191e68dc1a6b28c1867cf09
e2e30d4f8c1899a6ddb9554733ad7c1c08f3115fe91150acf097afaae250f156
49bef3c230eeafc5eac838656560a8809ba93bae84525b7afdb1b2e8c1d79460
928c6c2628079ffc378749772980814cfd15616bcf0ab6785b5b433d88383b0f
b22cce5826523e14b395a638e58aa57f320ee359da8f59b9ad18d099f7e648b1
7ec1e67392d80fbd8360c8fc77455cb0c156fdf7a8b8eaaf03faa0ae87f27dc8
61ec0af6709230224c2302f1160220a20937d75f9059e47fb8e472140c45a4f0
Domains
cutchie.com
bonkacho.com
ihakispamhous.ru
prophosthdor.su
www.marinadimarsala.it
www.igsale.shop
www.kreativraum-elsdorf.de
sansui.store
afvalpillen-bestellen.nl
proteus-network.ml
osfnNsqepDXDVKsvd.osfnNsqepDXDVKsvd
www.tawaraseihonjo.com
www.lazz.life
hgfghfgnn.com
www.kt.digital
www.katielegget.com
regisforbelowactu.net
www.limoreloves.com
ninjagames.top
www.hangingpeers2.xyz

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More