Summary
Ursnif malware, also known as Gozi, is one of the most widely spread banking Trojan. The malware's source code was leaked in 2015 and made publicly available in Github which enabled other malware authors to add new features and make further development of the code by different threat actors. Ursnif can collect system activity of the victims, record keystrokes, and keep track of network/ browser activity. It archives the collected data before sending it to the C&C server.
Ursnif malware is effectively delivered through malicious spam campaigns. This spam attachment is a Microsoft office document that instructs the user to enable macro. One of the new campaigns of Ursnif is taking advantage of INPS (Instituto Nazionale Previdenza Sociale), an entity of the Italian public retirement system. An email circulated with the manager’s signature and encouraging the recipient to open the attached excel file. Once opened it requests password (indicated on the email content) and contacts the URL contained within. From that URL, a DLL is downloaded to the victim’s machine, which at that point the malware spreads to infect the system.
Behaviour
- Steals computer data, computer name, system local, operating system (OS) version and running processes
- Steals user credentials, financial and banking information
- Able to communicate with C&C server to download additional malware components
- Executes backdoor commands from a remote malicious user to connect to malicious websites for sending and receiving information
Capabilities
Impact
- Financial Loss - steals banking, digital wallets and cryptocurrency information
- Violation of user privacy - gathers user credentials on various applications, logs keystroke and steals user information
- Regional Impact (October 2020)
| REGION | EUROPE | JAPAN | AMERICAS | APAC | N-ASIA | AMEA |
|---|
| CUSTOMER CASE COUNT | 154 | 2 | 1 | 36 | - | - |
|---|
| REGION | EMEA | JAPAN | NABU | LAR | APAC |
|---|
| SPN VSAPI FEEDBACK | 1,240 | 5,416 | 514 | 42 | 2,940 |
|---|
Additional Threat Reference Information
Sample Spam
Sample Attachment
Infection Chain
MITRE ATT&CK Matrix
| BEHAVIOR | TACTIC | TECHNIQUE |
|---|
| Malware arrives as a weaponized Office document | Initial Access | T1566.001 Phishing: Spearphishing Attachment |
| Victim is lured into opening the attachment and enabling malicious macro | Execution | T1204 User Execution |
| Downloaded document has obfuscated macros to hide URLs hosting the malware | Defense Evasion | T1027 Obfuscated Files or Information |
| Macro-enabled document will download and execute the malicious DLL file using rundll32.exe | Execution
Persistence | T1059.005 Command and Scripting Interpreter: Visual Basic
T1543.003 Create or Modify System Process: Windows Service |
| Connects to C&C server; Requests a remote executable file from MS Office | Command And Control | T1071.001 Application Layer Protocol: Web Protocols |
| Steals user information and credentials | Discovery
Collection | T1007 System Service Discovery
T1057 Process Discovery
T1082 System Information Discovery
T1056.004 Input Capture: Credential API Hooking
T1005 Data from Local System
T1113 Screen Capture
T1185 Man in the Browser |
| Send stolen information to C&C server | Exfiltration | T1041 Exfiltration Over C2 Channel |
| Able to transfer or download additional components from C&C | Command And Control | T1105 Ingress Tool Transfer |
