Ursnif is a long-running banking trojan that steals credentials, downloads other malware, and acts as a keylogger. It is primarily delivered via spear-phishing emails that impersonate authorities and exploit current events, using macro-enabled attachments and HTA-based loaders to gain initial access. #Ursnif #Gozi #Dreambot #ISFB #DHL #Zoom #Webex
Keypoints
- Ursnif is described as one of the most widespread banking trojans, with theft, downloader, and keylogging capabilities.
- Phishing-driven infection chains dominate, including XLS macros and HTA-based attachments designed to download binaries.
- Techniques include PPID spoofing, macro execution, and spoofing the dropped process to blend in with legitimate processes like explorer.exe.
- HTA-driven infections leverage PowerShell to download a DLL and execute it via rundll32.exe, with multi-layer obfuscation.
- The Ursnif loader uses in-memory unpacking, APC/thread injection, and a decrypted BSS section that reveals config details and encryption keys.
- The final payload foregrounds a keylogger that exfiltrates browser credentials, cookies, and system info via encrypted C2 communications.
- IOCs provided include a set of malicious domains and SHA-256 hashes for the XLS/HTA/loder/payload artifacts.
MITRE Techniques
- [T1566.001] Phishing – Spear phishing attachments used to deliver macros. ‘phishing emails with a macro embedded XLS attachment or a zip attachment containing an HTA file’
- [T1204.002] User Execution – Macro content execution after user action. ‘Once the User enables macro content, the macro gets executed which further downloads the executable binary.’
- [T1547.001] Boot or Logon Autostart – Startup persistence via Run Keys/Startup Folder. ‘Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)’
- [T1055.004] Asynchronous Procedure Call – Thread APC injection to run code in another thread. ‘uses the Thread APC injection technique to execute malicious code in another thread’
- [T1134.004] Parent PID Spoofing – Spoofing the parent process to evade detection. ‘PPID spoofing’ and ‘UpdateProcThreadAttribute to perform parent PID spoofing’
- [T1555.003] Credentials from Web Browsers – Browser credential harvesting. ‘collects Chrome, Firefox, and Microsoft Edge browsers’ sensitive info like credentials, cookies’
- [T1010] Application Window Discovery – Discovery of application window context. ‘Application Window Discovery (T1010)’
- [T1115] Clipboard Data – Exfiltration of clipboard contents. ‘Clipboard Data (T1115)’
- [T1071.001] Web Protocols – C2 communications over web protocols. ‘Application Layer Protocol: Web Protocols (T1071.001)’
- [T1041] Exfiltration Over C2 Channel – Data exfiltration through the C2 channel. ‘Exfiltration Over C2 Channel (T1041)’
- [T1059.001] PowerShell – PowerShell-based execution. ‘PowerShell (T1059.001)’
- [T1059.005] Visual Basic – VB-based scripting/interpretation. ‘Command and Scripting Interpreter: Visual Basic (T1059.005)’
- [T1218.010] System Binary Proxy Execution: Regsvr32 – Proxy execution using Regsvr32. ‘System Binary Proxy Execution – Regsvr32 (T1218.010)’
- [T1218.011] System Binary Proxy Execution: Rundll32 – Proxy execution using Rundll32. ‘System Binary Proxy Execution – Rundll32 (T1218.011)’
- [T1007] System Service Discovery – Discovering services on the host. ‘System Service Discovery (T1007)’
- [T1012] Query Registry – Registry query operations. ‘Query Registry (T1012)’
- [T1082] System Information Discovery – Collecting system information. ‘System Information Discovery (T1082)’
Indicators of Compromise
- [Domain] – Malicious domains used for hosting C2 and phishing infrastructure: Cloudlines.top, linkspremium.ru, premiumlists.ru, Vilogerta.top, interblog.top, interforum.top, premiumlines.top, linespremium.ru, linespremium.pw, blogerslives.com, blogerslines.com, blogspoints.com, blogspoints.ru, filmspoints.com, and 12 other domains
- [SHA-256] – Hash examples for malicious documents and loaders: D39AAA321588E8B1E8FE694732B533BE31C57B60A3C1B7CF73047974606C0C64, EF2CD6B4FD4FBEEDC663F59C5196F63338B9F66242230D15F70CDAEBA3BFDE54, and 6 more hashes