| Name | Ursnif |
| Additional Names | Gozi, Gozi-ISFB, Dreambot, Papras, Snifula |
| Type of Malware | Banking Trojan |
| Location – Country of Origin | Russia |
| Date of initial activity | 2000 |
| Associated Groups | APT28 (aka Fancy Bear, Sofacy, Sednit), APT34 (aka Lazarus Group), TA544, TA448, TA457 |
| Motivation | The motivation behind Ursnif malware is financial gain. The malware is designed to steal financial information from infected computers, such as credit card numbers, bank account numbers, and passwords. This information can then be used to commit fraud or identity theft. |
| Attack Vectors | Phishing emails, Malicious websites, Malware-infected, USB drives, Drive-by downloads |
| Targeted System | Windows |
Overview
Ursnif, also known as Gozi or Dreambot, is a banking trojan and downloader that spreads through Malspam emails with Microsoft Office document attachments or ZIP files containing an HTA file. Ursnif collects victim information from cookies, login pages, and web forms. Additionally, Ursnif’s web injection attacks include TLS callbacks in order to obfuscate against anti-malware software. Furthermore, Ursnif’s newest variant has a built-in command shell that provides a reverse shell for connection to remote IP addresses. This allows a CTA to execute system commands via command line, enabling them to perform further reconnaissance as well as more effective lateral movement. Lastly, Ursnif has the ability to drop additional malware, such as ransomware.
Targets
- Individuals
- Businesses
- Government agencies
- Financial institutions
- Healthcare organizations
- Technology companies
- Media companies
- Education institutions
- Non-profit organizations
Tools/ Techniques Used
Ursnif’s initial access payloads usually require the target to enable Microsoft Office macros, which allows a pre-compiled executable to be fetched from an attacker-controlled server and executed on the target’s system. The second-stage process begins with Ursnif stealing any user credentials it can find, connecting to a command-and-control (C2) server, and downloading and installing additional second-stage modules.
Recent versions of Ursnif attempt to evade detection using a technique called LOLBins (short for Living Off the Land Binaries) that leverages native Windows software tools (e.g., powershell.exe, mshta.exe) to achieve its goals rather than importing tools. To increase stealth, newer versions of Ursnif link to Google Drive URLs to avoid using blocked domain names or IP addresses that security products would recognize. Ursnif also uses password-protected ZIP files, ensuring its payload is encrypted as it enters the network to evade less sophisticated security products.
Impact / Significant Attacks
In 2015, Ursnif was used to steal millions of dollars from banks in the United States and Europe.
In 2016, Ursnif was used to steal the personal information of millions of users of the Ashley Madison dating website.
In 2017, Ursnif was used to steal the personal information of millions of users of the LinkedIn social networking website.
In 2018, Ursnif was used to steal the personal information of millions of users of the Dropbox file-sharing service.
Indicators of Compromise (IoCs)
Domains
Gameindikdowd[.]ru
Iujdhsndjfks[.]ru
Jhgfdlkjhaoiu[.]su
reggy506[.]ru
renewbleenergey[.]ru
uelcoskdi[.]ru
IPs
185[.]189[.]151[.]38
185[.]189[.]151[.]61
194[.]58[.]102[.]187
194[.]76[.]224[.]95
194[.]76[.]227[.]159
31[.]214[.]157[.]31
45[.]11[.]182[.]30
79[.]132[.]128[.]228
91[.]241[.]93[.]111
94[.]198[.]54[.]97
Ursnif Banking Trojan Attack
- Ursnif arrives as an attachment in a spammed email.
- Ursnif drops malicious component files onto the affected system. Creates autostart registries to ensure automatic execution upon startup.
- Ursnif injects itself into certain processes and infects files that have certain extensions.
- Ursnif gathers systems information such as digital certificates, active processes and cookies. This is sent to a C&C server.
References
