1. Home
  2. Software
  3. Ursnif

Ursnif

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]

ID: S0386
Associated Software: Gozi-ISFB, PE_URSNIF, Dreambot
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 04 June 2019
Last Modified: 23 April 2021

Associated Software Descriptions

Name Description
Gozi-ISFB

[4][2]
PE_URSNIF

[3]
Dreambot

[1][2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Ursnif has used HTTPS for C2.[3][4][2]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Ursnif has used Registry Run keys to establish automatic execution at system startup.[5][6]
Enterprise T1185 Browser Session Hijacking

Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).[6]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.[7]
.005 Command and Scripting Interpreter: Visual Basic

Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.[7]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.[5]
Enterprise T1132 Data Encoding

Ursnif has used encoded data in HTTP URLs for C2.[2]

Enterprise T1005 Data from Local System

Ursnif has collected files from victim machines, including certificates and cookies.[6]
Enterprise T1074 .001 Data Staged: Local Data Staging

Ursnif has used tmp files to stage gathered information.[3]
Enterprise T1140 Deobfuscate/Decode Files or Information

Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.[2]
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Ursnif has used a DGA to generate domain names for C2.[2]
Enterprise T1041 Exfiltration Over C2 Channel

Ursnif has used HTTP POSTs to exfil gathered information.[3][4][2]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

Ursnif droppers have used COM properties to execute malware in hidden windows.[7]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Ursnif has deleted data staged in tmp files after exfiltration.[3]
Enterprise T1105 Ingress Tool Transfer

Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.[5][6]
Enterprise T1056 .004 Input Capture: Credential API Hooking

Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.[3]
Enterprise T1559 .001 Inter-Process Communication: Component Object Model

Ursnif droppers have used COM objects to execute the malware's full executable payload.[7]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.[3]
Enterprise T1112 Modify Registry

Ursnif has used Registry modifications as part of its installation routine.[6][2]
Enterprise T1106 Native API

Ursnif has used CreateProcessW to create child processes.[4]
Enterprise T1027 Obfuscated Files or Information

Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.[2] Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.[7]
Enterprise T1057 Process Discovery

Ursnif has gathered information about running processes.[3][6]
Enterprise T1055 .005 Process Injection: Thread Local Storage

Ursnif has injected code into target processes via thread local storage callbacks.[3][5][4]
.012 Process Injection: Process Hollowing

Ursnif has used process hollowing to inject into child processes.[4]
Enterprise T1090 Proxy

Ursnif has used a peer-to-peer (P2P) network for C2.[1][2]
.003 Multi-hop Proxy

Ursnif has used Tor for C2.[1][2]
Enterprise T1012 Query Registry

Ursnif has used Reg to query the Registry for installed programs.[3][6]
Enterprise T1091 Replication Through Removable Media

Ursnif has copied itself to and infected removable drives for propagation.[3][8]
Enterprise T1113 Screen Capture

Ursnif has used hooked APIs to take screenshots.[3][6]
Enterprise T1082 System Information Discovery

Ursnif has used Systeminfo to gather system information.[3]
Enterprise T1007 System Service Discovery

Ursnif has gathered information about running services.[3]
Enterprise T1080 Taint Shared Content

Ursnif has copied itself to and infected files in network drives for propagation.[3][8]
Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.[8]
Enterprise T1047 Windows Management Instrumentation

Ursnif droppers have used WMI classes to execute PowerShell commands.[7]

Groups That Use This Software

ID Name References
G0127 TA551

[9][10][11][12]

References

  1. NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019.
  2. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
  3. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  4. Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.
  5. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
  6. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  1. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  2. Caragay, R. (2014, December 11). Info-Stealing File Infector Hits US, UK. Retrieved June 5, 2019.
  3. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  4. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  5. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  6. Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.