Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

URSNIF malware still making new waves

    • Updated:
    • 18 Dec 2020
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector All
    • Deep Discovery Inspector All
    • Deep Security 12.0
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Standard 10.0
    • Platform:
Summary

Ursnif malware, also known as Gozi, is one of the most widely spread banking Trojan. The malware's source code was leaked in 2015 and made publicly available in Github which enabled other malware authors to add new features and make further development of the code by different threat actors. Ursnif can collect system activity of the victims, record keystrokes, and keep track of network/ browser activity. It archives the collected data before sending it to the C&C server.

Ursnif malware is effectively delivered through malicious spam campaigns. This spam attachment is a Microsoft office document that instructs the user to enable macro. One of the new campaigns of Ursnif is taking advantage of INPS (Instituto Nazionale Previdenza Sociale), an entity of the Italian public retirement system. An email circulated with the manager’s signature and encouraging the recipient to open the attached excel file. Once opened it requests password (indicated on the email content) and contacts the URL contained within. From that URL, a DLL is downloaded to the victim’s machine, which at that point the malware spreads to infect the system.

Behaviour

  • Steals computer data, computer name, system local, operating system (OS) version and running processes  
  • Steals user credentials, financial and banking information
  • Able to communicate with C&C server to download additional malware components
  • Executes backdoor commands from a remote malicious user to connect to malicious websites for sending and receiving information

Capabilities

  • Information Theft

Impact

  • Financial Loss - steals banking, digital wallets and cryptocurrency information
  • Violation of user privacy - gathers user credentials on various applications, logs keystroke and steals user information
  • Regional Impact (October 2020)
    REGIONEUROPEJAPANAMERICASAPACN-ASIAAMEA
    CUSTOMER CASE COUNT1542136--
    REGIONEMEAJAPANNABULARAPAC
    SPN VSAPI FEEDBACK1,2405,416514422,940

Additional Threat Reference Information

Sample Spam

Sample Attachment

cid:image002.png@01D6B2C3.AC998F40
cid:image003.png@01D6B2C3.AC998F40

Infection Chain

cid:image004.png@01D6B2BF.434596A0

MITRE ATT&CK Matrix

BEHAVIORTACTICTECHNIQUE
Malware arrives as a weaponized Office documentInitial AccessT1566.001 Phishing: Spearphishing Attachment
Victim is lured into opening the attachment and enabling malicious macroExecutionT1204 User Execution
Downloaded document has obfuscated macros to hide URLs hosting the malwareDefense EvasionT1027 Obfuscated Files or Information
Macro-enabled document will download and execute the malicious DLL file using rundll32.exeExecution
Persistence
T1059.005 Command and Scripting Interpreter: Visual Basic
T1543.003 Create or Modify System Process: Windows Service
Connects to C&C server; Requests a remote executable file from MS OfficeCommand And ControlT1071.001 Application Layer Protocol: Web Protocols
Steals user information and credentialsDiscovery
Collection
T1007 System Service Discovery
T1057 Process Discovery
T1082 System Information Discovery
T1056.004 Input Capture: Credential API Hooking
T1005 Data from Local System
T1113 Screen Capture
T1185 Man in the Browser
Send stolen information to C&C serverExfiltrationT1041 Exfiltration Over C2 Channel
Able to transfer or download additional components from C&CCommand And ControlT1105 Ingress Tool Transfer
Details
Public

Available Solutions

Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionYesAS Pattern 5762November 1, 2020-
URL ProtectionYesIn the Cloud--
Advanced Threat Scan Engine (ATSE)Yes16.327.00November 2, 2020-
Predictive Learning (TrendX)YesIn the Cloud-Troj.Win32.TRX.XXPE50FFF037
File detection (VSAPI)YesENT OPR 16.327.00November 2, 2020Trojan.W97M.URSNIF.BF
Trojan.X97M.URSNIF.AYST
Trojan.XF.URSNIF.FAIL
Trojan.XF.URSNIF.FAIM
TrojanSpy.Win32.URSNIF.TIABOEFW
Network PatternYes--DDI RULE 1822
DDI RULE 2007
DDI RULE 2185
DDI RULE 2761
Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000283513
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.