S0386 Ursnif
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.23 Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.1
| Item | Value |
|---|---|
| ID | S0386 |
| Associated Names | Gozi-ISFB, PE_URSNIF, Dreambot |
| Type | MALWARE |
| Version | 1.4 |
| Created | 04 June 2019 |
| Last Modified | 22 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Gozi-ISFB | 43 |
| PE_URSNIF | 1 |
| Dreambot | 23 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Ursnif has used HTTPS for C2.143 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Ursnif has used Registry Run keys to establish automatic execution at system startup.76 |
| enterprise | T1185 | Browser Session Hijacking | Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).6 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Ursnif droppers have used PowerShell in download cradles to download and execute the malware’s full executable payload.5 |
| enterprise | T1059.005 | Visual Basic | Ursnif droppers have used VBA macros to download and execute the malware’s full executable payload.5 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.7 |
| enterprise | T1132 | Data Encoding | Ursnif has used encoded data in HTTP URLs for C2.3 |
| enterprise | T1005 | Data from Local System | Ursnif has collected files from victim machines, including certificates and cookies.6 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Ursnif has used tmp files to stage gathered information.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.3 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | Ursnif has used a DGA to generate domain names for C2.3 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Ursnif has used HTTP POSTs to exfil gathered information.143 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | Ursnif droppers have used COM properties to execute malware in hidden windows.5 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Ursnif has deleted data staged in tmp files after exfiltration.1 |
| enterprise | T1105 | Ingress Tool Transfer | Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.76 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.004 | Credential API Hooking | Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.1 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.001 | Component Object Model | Ursnif droppers have used COM objects to execute the malware’s full executable payload.5 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.1 |
| enterprise | T1112 | Modify Registry | Ursnif has used Registry modifications as part of its installation routine.63 |
| enterprise | T1106 | Native API | Ursnif has used CreateProcessW to create child processes.4 |
| enterprise | T1027 | Obfuscated Files or Information | Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.3 Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.5 |
| enterprise | T1027.010 | Command Obfuscation | Ursnif droppers execute base64 encoded PowerShell commands.5 |
| enterprise | T1057 | Process Discovery | Ursnif has gathered information about running processes.16 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.005 | Thread Local Storage | Ursnif has injected code into target processes via thread local storage callbacks.174 |
| enterprise | T1055.012 | Process Hollowing | Ursnif has used process hollowing to inject into child processes.4 |
| enterprise | T1090 | Proxy | Ursnif has used a peer-to-peer (P2P) network for C2.23 |
| enterprise | T1090.003 | Multi-hop Proxy | Ursnif has used Tor for C2.23 |
| enterprise | T1012 | Query Registry | Ursnif has used Reg to query the Registry for installed programs.16 |
| enterprise | T1091 | Replication Through Removable Media | Ursnif has copied itself to and infected removable drives for propagation.18 |
| enterprise | T1113 | Screen Capture | Ursnif has used hooked APIs to take screenshots.16 |
| enterprise | T1082 | System Information Discovery | Ursnif has used Systeminfo to gather system information.1 |
| enterprise | T1007 | System Service Discovery | Ursnif has gathered information about running services.1 |
| enterprise | T1080 | Taint Shared Content | Ursnif has copied itself to and infected files in network drives for propagation.18 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.8 |
| enterprise | T1047 | Windows Management Instrumentation | Ursnif droppers have used WMI classes to execute PowerShell commands.5 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0127 | TA551 | 9101112 |
References
-
Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019. ↩↩↩↩
-
Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019. ↩↩↩↩↩↩
-
Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019. ↩↩↩↩↩↩↩
-
Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019. ↩↩↩↩↩↩↩↩
-
Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019. ↩↩↩↩
-
Caragay, R. (2014, December 11). Info-Stealing File Infector Hits US, UK. Retrieved June 5, 2019. ↩↩↩
-
Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. ↩
-
Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. ↩
-
Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021. ↩
-
Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021. ↩