Skip to content

S0386 Ursnif

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.23 Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.1

Item Value
ID S0386
Associated Names Gozi-ISFB, PE_URSNIF, Dreambot
Version 1.4
Created 04 June 2019
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Gozi-ISFB 43
Dreambot 23

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Ursnif has used HTTPS for C2.143
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Ursnif has used Registry Run keys to establish automatic execution at system startup.76
enterprise T1185 Browser Session Hijacking Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).6
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Ursnif droppers have used PowerShell in download cradles to download and execute the malware’s full executable payload.5
enterprise T1059.005 Visual Basic Ursnif droppers have used VBA macros to download and execute the malware’s full executable payload.5
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.7
enterprise T1132 Data Encoding Ursnif has used encoded data in HTTP URLs for C2.3
enterprise T1005 Data from Local System Ursnif has collected files from victim machines, including certificates and cookies.6
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Ursnif has used tmp files to stage gathered information.1
enterprise T1140 Deobfuscate/Decode Files or Information Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.3
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms Ursnif has used a DGA to generate domain names for C2.3
enterprise T1041 Exfiltration Over C2 Channel Ursnif has used HTTP POSTs to exfil gathered information.143
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Ursnif droppers have used COM properties to execute malware in hidden windows.5
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Ursnif has deleted data staged in tmp files after exfiltration.1
enterprise T1105 Ingress Tool Transfer Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.76
enterprise T1056 Input Capture -
enterprise T1056.004 Credential API Hooking Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.1
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model Ursnif droppers have used COM objects to execute the malware’s full executable payload.5
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.1
enterprise T1112 Modify Registry Ursnif has used Registry modifications as part of its installation routine.63
enterprise T1106 Native API Ursnif has used CreateProcessW to create child processes.4
enterprise T1027 Obfuscated Files or Information Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.3 Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.5
enterprise T1027.010 Command Obfuscation Ursnif droppers execute base64 encoded PowerShell commands.5
enterprise T1057 Process Discovery Ursnif has gathered information about running processes.16
enterprise T1055 Process Injection -
enterprise T1055.005 Thread Local Storage Ursnif has injected code into target processes via thread local storage callbacks.174
enterprise T1055.012 Process Hollowing Ursnif has used process hollowing to inject into child processes.4
enterprise T1090 Proxy Ursnif has used a peer-to-peer (P2P) network for C2.23
enterprise T1090.003 Multi-hop Proxy Ursnif has used Tor for C2.23
enterprise T1012 Query Registry Ursnif has used Reg to query the Registry for installed programs.16
enterprise T1091 Replication Through Removable Media Ursnif has copied itself to and infected removable drives for propagation.18
enterprise T1113 Screen Capture Ursnif has used hooked APIs to take screenshots.16
enterprise T1082 System Information Discovery Ursnif has used Systeminfo to gather system information.1
enterprise T1007 System Service Discovery Ursnif has gathered information about running services.1
enterprise T1080 Taint Shared Content Ursnif has copied itself to and infected files in network drives for propagation.18
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.8
enterprise T1047 Windows Management Instrumentation Ursnif droppers have used WMI classes to execute PowerShell commands.5

Groups That Use This Software

ID Name References
G0127 TA551 9101112