What Is Ursnif Malware?
2000: Ursnif is attributed to the infamous Russian malware developer Alexey Ivanov (AKA subbsta)
2006: Ursnif stealer capabilities were combined with botnet and command and control (C2) functions from the malware Nuclear Grabber to create Gozi
2010: New version Gozi-ISFB emerges from leaked Gozi source code and becomes the dominant Ursnif strain
2014: Dreambot, a Ursnif variant that allows operation over the TOR network, emerges and remains popular until 2020
2014: Vawtrak (AKA Catch, grabnew, NeverQuest) appears. Though based on the original Gozi code, it gets forked extensively into its successful banking trojan with VNC remote desktop to surveil targets and steal data, as well as sophisticated web injects to steal session credentials and MFA tokens from users logging into banking and crypto sites
2016: GozNym banking malware combines the stealth of malware strain Nymaim and the capabilities of Ursnif’s Gozi-ISFB strain. In 2019, it instigated an unprecedented international law enforcement operation by Europol
2020: LOLsnif (AKA Goziat), named for its “Living Off the Land” detection evasion technique, increases Ursnif’s prominence
Ursnif’s first-stage tactics to gain initial access are similar to those of other malware strains, including email attachments, malicious websites, and trojanized applications. A recent successful Ursnif campaign involved a particularly crafty and notable technique: using stolen email credentials to inject spear phishing replies into ongoing conversations. These injected messages direct recipients to open a malicious attachment that executes Ursnif’s second-stage payload.
Ursnif’s initial access payloads usually require the target to enable Microsoft Office macros, which allows a pre-compiled executable to be fetched from an attacker-controlled server and executed on the target’s system. The second-stage process begins with Ursnif stealing any user credentials it can find, connecting to a command-and-control (C2) server, and downloading and installing additional second-stage modules.
Recent versions of Ursnif attempt to evade detection using a technique called LOLBins (short for Living Off the Land Binaries) that leverages native Windows software tools (e.g., powershell.exe, mshta.exe) to achieve its goals rather than importing tools. To increase stealth, newer versions of Ursnif link to Google Drive URLs to avoid using blocked domain names or IP addresses that security products would recognize. Ursnif also uses password-protected ZIP files, ensuring its payload is encrypted as it enters the network to evade less sophisticated security products.
Ursnif’s Modular Capabilities
- Information gathering and credential harvesting from popular email, browsers, and FTP clients
- Surveilling and stealing user keystrokes, screenshots, and clipboard data
- Intercepting and modifying browser traffic by inserting extra code (i.e., web injects) into popular banking and crypto exchange websites to harvest credentials, including multi-factor authentication (MFA) tokens and to hi-jack user accounts
- Uploading and downloading files to and from a compromised system
- Establishing VNC remote desktop access using a SOCKS-based connection for surveillance and remote access
- Domain generation algorithms (DGA) dynamically creating domain names and using them as C2 to avoid identification and blocking
Signs of an Ursnif Attack
Recently Ursnif has been successfully delivered in campaigns with grammatically correct, professional-sounding spam content that demonstrates a reasonable level of knowledge regarding local policies to bait citizens of individual nation-states such as Poland, Italy, and Japan. The campaigns have targeted the finance industry by appearing to have important information related to changing tax policies or other regulatory implications.
From a more technical perspective, some of Ursnif’s blocked domain names, IP addresses, and malware file hashes can be used to detect the malware as it ingresses a network. However, these signature-based detection methods have known limitations for detecting novel strains of malware; more recent versions of Ursnif have used DGA to prevent its C2 domains and IP addresses from being detected.
How to Prevent a Ursnif Attack
The most effective tactics for preventing a Ursnif attack are similar to those for defending against other strains of malware that use common first-stage attack vectors, such as phishing with trojanized Microsoft Office documents and stolen credentials.
- Enforce multi-factor authentication for all critical services—especially online banking and cryptocurrency accounts
- Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
- Recognize the increased risk that encrypted files present and verify the context of such documents thoroughly before opening them
- Install and configure endpoint security products that will scan encrypted documents immediately after they are unencrypted
- Implement Zero Trust solutions wherever possible, giving priority to critical systems
- Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings