Ursnif - Demystifying the capabilities and activities of this powerful trojan

• Ursnif is a banking trojan that was discovered in 2007.
• The malware was primarily designed to steal banking information from compromised Windows computers in English speaking countries.

Ursnif, also known as Dreambot or Gozi trojan, has upped its ante in the cyber threat landscape. The powerful trojan has been spotted in various attack campaigns. The malware authors are continuously working on enhancing the capabilities of the malware in order to make it work beyond just stealing victims’ banking credentials.

Discovery - Ursnif is a banking trojan that was discovered in 2007. The malware was primarily designed to steal banking information from compromised Windows computers in English speaking countries.

Propagation - The malware variant can spread to connected networks and removable drives by injecting code into one of the following processes such as chrome.exe, explorer.exe, firefox.exe, iexplorer.exe, opera.exe, safari.exe and services.exe.

Once the code is injected, it searches for specific file types - such as .exe, .pdf and .msi - to carry forward the infection process. The malware is can also copy itself on the removable drive with the file name temp.exe.

Lately, the malware authors are distributing the trojan via email. To make the emails appear legitimate, they use the sender and recipient addresses harvested from previously compromised Ursnif victims.

Capabilities - A successful attack by Ursnif trojan can enable attackers to gain complete remote access to the affected systems. The trojan is capable of conducting other nefarious activities such as capturing screenshots, stealing & clearing cookies, stealing certificates, rebooting machines, stealing a log file that contains user information, terminating process and downloading other malicious payloads.

Among its other capabilities, the trojan also collects the user’s PC information such as installed drivers, programs and a list running services. The trojan attempts to steal passwords and credentials that are stored using protected storage. It also attempts to collect credentials for cloud storage, webmail and cryptocurrency exchanges. To do this, it takes screenshots, logs keystrokes and exfiltrates certificates.

Variants - Several variants of Gozi trojan have been observed over the years.

• In 2016, researchers from Proofpoint observed a new version of Ursnif trojan was using servers hosted on the Tor anonymous network to hide its command and control infrastructure.
• In November, 2017, Ursnif v3 was found targeting Australian bank customers with redirection attacks. The version3 of the malware was initially spotted around August 2017.
• Another variant of Ursnif trojan was detected in November, 2017. The new Ursnif variant was found employing a malicious TLS callback technique to achieve process injection.
• In June, 2018, a new version of the infamous Ursnif trojan was detected infecting Italian companies via Necurs botnet.

In February 2019, a new wave of Ursnif attack was observed against Italian companies. For the attack, the cybercriminals used both steganography and AtomBombing tactics to distribute the malware.

Given the extensive capabilities of the Ursnif trojan, it is believed that attackers will continue to evolve the malware and use it for more sophisticated attacks.