Ursnif

Ursnif (also known as Gozi) is a banking Trojan that generally collects system activity, records keystroke data, and keeps track of network and internet browser activity. It typically archives this sensitive data and sends it back to a command and control server operated by cybercriminals.

In 2015, the Ursnif source code was leaked and made public on Github. This has since given rise to a slew of new variants with new features and functionality.

How Ursnif works

Like many other kinds of malware, Ursnif is typically delivered onto a target system as an email attachment, which is generally a part of a larger malspam or phishing campaign. In the case of Ursnif, early versions often came hidden within Microsoft Office documents laden with malicious macros that would then download the Ursnif payload.

In a much-publicized attack against a branch of the Italian public retirement system, a message was sent which contained a manager’s signature and encouraged all recipients to open an attached excel file. In other reported cases, Ursnif variants were delivered via seemingly legitimate HTML links that triggered downloads of .zip files containing JavaScript. These scripts would then launch separate PowerShell scripts to fetch the Ursnif payload and finalize infection.

Certain versions of Ursnif also contain macros that check native language settings to see which country it is likely being run in. These versions will terminate if they determine they’re being run on a computer with default languages different from those on a predefined list. While some of Ursnif’s most popular targets have included banking institutions in Italy and Japan, countries all over the world have been affected by Ursnif.

According to Microsoft, Urnisf has been an effective information stealer Trojan since at least 2009. It has consistently managed to steal user credentials for mail clients, cloud storage, e-commerce sites, and even cryptocurrency exchanges – all while remaining extremely difficult to detect. Recent versions are also particularly resistant to dynamic analysis techniques, and some variants have even been shown to check for user-inputted mouse movements and to terminate if none are detected.

Autonomous Response to critical malware alerts

VMRay + Palo Alto Networks       JOINT WEBINAR