URSNIF malware still making new waves

Product / Version includes:

OfficeScan XG , Apex One 2019 , Deep Discovery Inspector All , Worry-Free Business Security Standard 10.0 , ScanMail for Exchange 14.0 , Deep Security 12.0 , Deep Discovery Email Inspector All

Last updated: 2025/05/08

Solution ID: KA-0011290

Category: Remove a Malware / Virus

Summary

Ursnif malware, also known as Gozi, is one of the most widely spread banking Trojan. The malware's source code was leaked in 2015 and made publicly available in Github which enabled other malware authors to add new features and make further development of the code by different threat actors. Ursnif can collect system activity of the victims, record keystrokes, and keep track of network/ browser activity. It archives the collected data before sending it to the C&C server.

Ursnif malware is effectively delivered through malicious spam campaigns. This spam attachment is a Microsoft office document that instructs the user to enable macro. One of the new campaigns of Ursnif is taking advantage of INPS (Instituto Nazionale Previdenza Sociale), an entity of the Italian public retirement system. An email circulated with the manager’s signature and encouraging the recipient to open the attached excel file. Once opened it requests password (indicated on the email content) and contacts the URL contained within. From that URL, a DLL is downloaded to the victim’s machine, which at that point the malware spreads to infect the system.

Behaviour

Steals computer data, computer name, system local, operating system (OS) version and running processes  
Steals user credentials, financial and banking information
Able to communicate with C&C server to download additional malware components
Executes backdoor commands from a remote malicious user to connect to malicious websites for sending and receiving information

Capabilities

Information Theft

Impact

Financial Loss - steals banking, digital wallets and cryptocurrency information
Violation of user privacy - gathers user credentials on various applications, logs keystroke and steals user information
Regional Impact (October 2020)

REGION EUROPE JAPAN AMERICAS APAC N-ASIA AMEA
CUSTOMER CASE COUNT 154 2 1 36 - -
REGION EMEA JAPAN NABU LAR APAC
SPN VSAPI FEEDBACK 1,240 5,416 514 42 2,940

REGION	EUROPE	JAPAN	AMERICAS	APAC	N-ASIA	AMEA
CUSTOMER CASE COUNT	154	2	1	36	-	-
REGION	EMEA	JAPAN	NABU	LAR	APAC
SPN VSAPI FEEDBACK	1,240	5,416	514	42	2,940

Additional Threat Reference Information

Sample Spam

Sample Attachment

cid:image002.png@01D6B2C3.AC998F40
cid:image003.png@01D6B2C3.AC998F40

Infection Chain

cid:image004.png@01D6B2BF.434596A0

MITRE ATT&CK Matrix

BEHAVIOR	TACTIC	TECHNIQUE
Malware arrives as a weaponized Office document	Initial Access	T1566.001 Phishing: Spearphishing Attachment
Victim is lured into opening the attachment and enabling malicious macro	Execution	T1204 User Execution
Downloaded document has obfuscated macros to hide URLs hosting the malware	Defense Evasion	T1027 Obfuscated Files or Information
Macro-enabled document will download and execute the malicious DLL file using rundll32.exe	Execution Persistence	T1059.005 Command and Scripting Interpreter: Visual Basic T1543.003 Create or Modify System Process: Windows Service
Connects to C&C server; Requests a remote executable file from MS Office	Command And Control	T1071.001 Application Layer Protocol: Web Protocols
Steals user information and credentials	Discovery Collection	T1007 System Service Discovery T1057 Process Discovery T1082 System Information Discovery T1056.004 Input Capture: Credential API Hooking T1005 Data from Local System T1113 Screen Capture T1185 Man in the Browser
Send stolen information to C&C server	Exfiltration	T1041 Exfiltration Over C2 Channel
Able to transfer or download additional components from C&C	Command And Control	T1105 Ingress Tool Transfer

Available Solutions

Solution Modules	Solution Available	Pattern Branch	Release Date	Detection/Policy/Rules
Email Protection	Yes	AS Pattern 5762	November 1, 2020	-
URL Protection	Yes	In the Cloud	-	-
Advanced Threat Scan Engine (ATSE)	Yes	16.327.00	November 2, 2020	-
Predictive Learning (TrendX)	Yes	In the Cloud	-	Troj.Win32.TRX.XXPE50FFF037
File detection (VSAPI)	Yes	ENT OPR 16.327.00	November 2, 2020	Trojan.W97M.URSNIF.BF Trojan.X97M.URSNIF.AYST Trojan.XF.URSNIF.FAIL Trojan.XF.URSNIF.FAIM TrojanSpy.Win32.URSNIF.TIABOEFW
Network Pattern	Yes	-	-	DDI RULE 1822 DDI RULE 2007 DDI RULE 2185 DDI RULE 2761

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

URSNIF malware still making new waves

URSNIF malware still making new waves

Product / Version includes:

Summary