Ursnif

Date: 2021-09-24

Ursnif (also known as Gozi) is a banking Trojan that generally collects system activity, records keystroke data, and keeps track of network and internet browser activity. It typically archives this sensitive data and sends it back to a command and control server operated by cybercriminals.

In 2015, the Ursnif source code was leaked and made public on Github. This has since given rise to a slew of new variants with new features and functionality.

How Ursnif works

Like many other kinds of malware, Ursnif is typically delivered onto a target system as an email attachment, which is generally a part of a larger malspam or phishing campaign. In the case of Ursnif, early versions often came hidden within Microsoft Office documents laden with malicious macros that would then download the Ursnif payload.

In a much-publicized attack against a branch of the Italian public retirement system, a message was sent which contained a manager’s signature and encouraged all recipients to open an attached excel file. In other reported cases, Ursnif variants were delivered via seemingly legitimate HTML links that triggered downloads of .zip files containing JavaScript. These scripts would then launch separate PowerShell scripts to fetch the Ursnif payload and finalize infection.

Certain versions of Ursnif also contain macros that check native language settings to see which country it is likely being run in. These versions will terminate if they determine they’re being run on a computer with default languages different from those on a predefined list. While some of Ursnif’s most popular targets have included banking institutions in Italy and Japan, countries all over the world have been affected by Ursnif.

According to Microsoft, Urnisf has been an effective information stealer Trojan since at least 2009. It has consistently managed to steal user credentials for mail clients, cloud storage, e-commerce sites, and even cryptocurrency exchanges – all while remaining extremely difficult to detect. Recent versions are also particularly resistant to dynamic analysis techniques, and some variants have even been shown to check for user-inputted mouse movements and to terminate if none are detected.

Get The Latest Update

Subscribe to our newsletter

Keep up to date with our weekly digest of articles. Get the latest news, invites to events, and threat alerts!

products

use cases

Find yours

Why VMRay

Customer Success Stories

By CAtegory

Featured Integration

Insights

Latest Malware Analysis Spotlight

NEWS

ABOUT US & CONTACT

CAREERs

Ursnif

Get The Latest Update

Subscribe to our newsletter

Table of Contents

Share With Others:

You May Also Like:

Subscribe to our Newsletter:

Solutions

Products

Why VMRay

Resources

Missed the headlines?

We’re featured in:

ThreatFeed

products

use cases

Find yours

Why VMRay

Customer Success Stories

By CAtegory

Featured Integration

Insights

Malware Analysis Reports

cybersecurity glossary

Latest Malware Analysis Spotlight

NEWS

ABOUT US & CONTACT

CAREERs

Tech Insights Deep Dive of April: Detection Strategies & Operational Excellence

Tech Insights Deep Dive of April:
Detection Strategies & Operational Excellence