Ursnif Malware

What Is Ursnif Malware?

Ursnif malware (AKA Gozi, Gozi-ISFB, Dreambot, Papras, and snifula) is classified as a banking trojan, stealer, and spyware and was ranked 2020’s second-most active strain of malware, responsible for more than 30 percent of malware detections. Ursnif’s multi-decade lifespan—it first appeared in 2000—makes it one of the oldest malware families. Frequent public source code disclosures have also made it one of the most-forked malware strains. The Ursnif family of malware includes a growing number of highly effective variants with a wide array of modular features. In 2021 Ursnif was highlighted as a top malware strain of concern by the U.S. government’s CISA. 

Ursnif Timeline

2000: Ursnif is attributed to the infamous Russian malware developer ​​Alexey Ivanov (AKA subbsta)

2006: Ursnif stealer capabilities were combined with botnet and command and control (C2) functions from the malware Nuclear Grabber to create Gozi 

2010: New version Gozi-ISFB emerges from leaked Gozi source code and becomes the dominant Ursnif strain

2014: Dreambot, a Ursnif variant that allows operation over the TOR network, emerges and remains popular until 2020

2014: Vawtrak (AKA Catch, grabnew, NeverQuest) appears. Though based on the original Gozi code, it gets forked extensively into its successful banking trojan with VNC remote desktop to surveil targets and steal data, as well as sophisticated web injects to steal session credentials and MFA tokens from users logging into banking and crypto sites

2016: GozNym banking malware combines the stealth of malware strain Nymaim and the capabilities of Ursnif’s Gozi-ISFB strain. In 2019, it instigated an unprecedented international law enforcement operation by Europol

2020: LOLsnif (AKA Goziat), named for its “Living Off the Land” detection evasion technique, increases Ursnif’s prominence

Ursnif’s first-stage tactics to gain initial access are similar to those of other malware strains, including email attachments, malicious websites, and trojanized applications. A recent successful Ursnif campaign involved a particularly crafty and notable technique: using stolen email credentials to inject spear-phishing replies into ongoing conversations. These injected messages direct recipients to open a malicious attachment that executes Ursnif’s second-stage payload.

Ursnif’s initial access payloads usually require the target to enable Microsoft Office macros, which allows a pre-compiled executable to be fetched from an attacker-controlled server and executed on the target’s system. The second-stage process begins with Ursnif stealing any user credentials it can find, connecting to a command-and-control (C2) server, and downloading and installing additional second-stage modules.

Recent versions of Ursnif attempt to evade detection using a technique called LOLBins (short for Living Off the Land Binaries) that leverages native Windows software tools (e.g., powershell.exemshta.exe) to achieve its goals rather than importing tools. To increase stealth, newer versions of Ursnif link to Google Drive URLs to avoid using blocked domain names or IP addresses that security products would recognize. Ursnif also uses password-protected ZIP files, ensuring its payload is encrypted as it enters the network to evade less sophisticated security products.

Ursnif’s Modular Capabilities

  • Information gathering and credential harvesting from popular email, browsers, and FTP clients
  • Surveilling and stealing user keystrokes, screenshots, and clipboard data
  • Intercepting and modifying browser traffic by inserting extra code (i.e., web injects) into popular banking and crypto exchange websites to harvest credentials, including multi-factor authentication (MFA) tokens and to hi-jack user accounts
  • Uploading and downloading files to and from a compromised system
  • Establishing VNC remote desktop access using a SOCKS-based connection for surveillance and remote access
  • Domain generation algorithms (DGA) dynamically creating domain names and using them as C2 to avoid identification and blocking

Signs of an Ursnif Attack

Recently Ursnif has been successfully delivered in campaigns with grammatically correct, professional-sounding spam content that demonstrates a reasonable level of knowledge regarding local policies to bait citizens of individual nation-states such as Poland, Italy, and Japan. The campaigns have targeted the finance industry by appearing to have important information related to changing tax policies or other regulatory implications.

From a more technical perspective, some of Ursnif’s blocked domain names, IP addresses, and malware file hashes can be used to detect the malware as it ingresses a network. However, these signature-based detection methods have known limitations for detecting novel strains of malware; more recent versions of Ursnif have used DGA to prevent its C2 domains and IP addresses from being detected. 

How to Prevent a Ursnif Attack

The most effective tactics for preventing a Ursnif attack are similar to those for defending against other strains of malware that use common first-stage attack vectors, such as phishing with trojanized Microsoft Office documents and stolen credentials.

  • Enforce multi-factor authentication for all critical services—especially online banking and cryptocurrency accounts
  • Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
  • Recognize the increased risk that encrypted files present and verify the context of such documents thoroughly before opening them
  • Install and configure endpoint security products that will scan encrypted documents immediately after they are unencrypted
  • Implement Zero Trust solutions wherever possible, giving priority to critical systems 
  • Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings
 CylanceOPTICS® provides on-device threat detection and remediation using artificial intelligence (AI) to prevent security incidents with root cause analysis, smart threat hunting, and automated detection and response capabilities. Our Endpoint Detection and Response (EDR) approach effectively eliminates response latency. It can be the difference between a minor security incident and a widespread, uncontrolled event.