Ursnif Trojan: A Classic Example of Malware Persistence and Adaptability
Research and Analysis • May 15, 2023
Origin: 2007
Aliases: Ursnif, Gozi, Dreambot, ISFB, ISFB3, LDR4, Goziv3, Goziv2, Goziat
Targeted Sectors: Finance, Technology, Government
Targeted Regions: North America, Eastern Europe, Western Europe, Eastern Asia
Motivation: Stealing banking records, digital wallets, and cryptocurrency information
Common Infection Vectors: Spam email
Introduction
Ursnif (aka Gozi), a banking trojan that first appeared in 2007, is one of the oldest malware active today. It was ranked among the most active malware in 2020 and 2021. The malware was originally designed to collect system information and record keystrokes. However, over a period of 17 years, the trojan has evolved to include advanced capabilities such as anti-sandboxing and anti-VM mechanisms, Master Boot Record (MBR)-based persistence, and extraction of private keys from disk encryption software.
Some variants of Ursnif are equipped with enhanced information-stealing capabilities, allowing attackers to steal from cryptocurrency wallets and even disk encryption software to extract the encrypted data.
Multiple variants
Ursnif trojan was primarily designed for data theft attacks and ended up splitting into multiple variant families. Each variant is equipped with different components such as backdoors, spyware, and file injectors, that are capable of providing a wide variety of malicious functionalities.
The malware has suffered multiple source leak incidents that subsequently led to a growing number of highly effective variants. For instance, a code leak in 2010 led to the emergence of two variants named Gozi Prinimalka and Gozi ISFB (also referred to as Gozi2 and Snifula). In 2015, the ISFB source code was leaked on GitHub that enabled other cybercriminals to merge the leaked source code with Nymaim malware and develop a new hybrid malware strain called GozNym.
Over the years, several other variants of Ursnif were detected in the wild, with some of these based on the ISFB variant. These included Ursnif V3, RM3, LDR4, Dreambot, Goziv3 (RM3 loader), ISFB3, Gozi2RM3, and IAP 2.0, each having some variations in the C2 communication protocol, obfuscation methods, and control flow.
Tactics, Techniques, and Procedures (TTPs)
Ursnif is usually delivered via spam emails when the user unknowingly opens a malicious file attachment. However, over a period of a decade, it has been observed testing a variety of other attack tactics as well.
-
In July 2010, attackers infiltrated online check archiving and verification services and scraped online job sites to send personalized messages to people looking for jobs using Ursnif malware.
-
In 2013, Gozi’s developers update the malware with a Master Boot Record (MBR) rootkit feature, increasing its persistency.
-
In February 2016, a new Ursnif trojan build was observed using a code injection technique to inject malicious code inside Microsoft Edge.
-
In February 2017, the Ursnif leveraged a spam botnet and a set of compromised web servers to infect users in Japan and Europe. The spam botnet was used to deliver phishing emails.
-
In June 2018, the attackers were observed delivering the Ursnif via a post-tax scam campaign. The spam email carried malicious URLs that ultimately installed malware downloader written in VBScript.
-
In May 2019, attackers used a combination of phishing attacks, PowerShell scripts, and steganography to infect users in Japan with Ursnif.
-
In February 2020, a spam campaign was observed infecting Windows users in Italy with Ursnif trojan. Malicious VB Script was used to execute the malware, which was later replaced with Dharma ransomware.
-
In April 2021, three banking trojans Gozi ISFB, QBot, and BokBot were observed being used in conjunction with a malicious document builder named EtterSilent to evade detection.
-
In November 2022, a cybercrime group named Disneyland Team was found leveraging Punycode attacks to mimick the domains of popular banks. This enabled threat actors to infect victims with Gozi 2.0 malware.
-
In January 2023, a new variant of the URSNIF was discovered. It was named 'LDR4,' and believed to be purposely built for enabling operations such as ransomware and data theft extortion.
-
In March 2023, a malware downloader, called BATLOADER, was seen abusing Google Ads to deliver Vidar info stealer and Ursnif trojan. The malicious ads spoofed genuine apps and services.
Attacks and Victimology
The Ursnif trojan has targeted several organizations in Information Technology, Financial, and Government sectors. Its victims are spread across the world including Western Europe, Eastern Europe, North America, and Eastern Asia. Moreover, the malware has been used to target several renowned organizations and abuse services, including the following:
-
Google Ads - Last month, BatLoader malware was observed delivering Vidar Stealer and Ursnif as secondary payloads while abusing Google Ads.
-
Ameriprise - In November 2022, the adversary group Disneyland Team was found using Ursnif strain to steal credentials from the U.S. financial services firm Ameriprise.
-
Mozilla - In July 2020, Mozilla had to temporarily shut down its Firefox Send service, as it was being abused by unknown attackers to deliver Ursnif malware variant.
-
DHL - In August 2019, attackers were observed using a sophisticated dropper malware disguised as DHL invoices, spreading Ursnif malware to its victims.
-
GLS - In January, staff and customers of GLS were targeted via phishing emails, infecting their systems with Ursnif malware.
Closing in on Malware Developers
In January 2013, three individuals namely Mihai Ionut Paunescu, Deniss Calovskis, and Nikita Kuzmin were charged with developing and distributing Gozi malware. In October, Deniss Calovskis was released from jail without any proper justification, but by claiming that the reason for pre-extradition detention is no longer valid. In February 2015, Calovskis was extradited to the U.S. for a standing trial, following which he pleaded guilty in September of the same year. In January 2016, a judge sentenced him to 21 months in prison. In July 2022, Mihai (aka Virus) was extradited from Colombia for allegedly running a bulletproof hosting service that allowed the attackers to spread the Gozi banking trojan.
Despite the success in the detention of suspects (developers), the trojan continues to spread in the wild, claiming victims across multiple sectors.
Mitigation
The trojan mainly spreads via spam emails, highlighting the importance of having robust email protection in place. Users need to be highly cautious when browsing the Internet and cross-check the source address before opening email attachments. Furthermore, security teams must automate and operationalize threat intelligence around the Ursnif trojan to proactively mitigate the threats before it strikes.
For this, a suitable Threat Intelligence Platform (TIP) is recommended. A TIP such as Cyware Threat Intel Exchange (CTIX) provides security teams with the ability to automate all phases of the threat intelligence lifecycle while enabling them to action threat intelligence with added context.
Conclusion
Despite being a decade-old threat, the Ursnif trojan proves the fact that old does not mean outdated or inefficient. This malware has been actively updating and continues carrying out attacks even after its operators were apprehended. Security experts worldwide have been regularly sharing their analysis of the malware’s activity so that organizations respond with the right countermeasures and protect their networks and systems.
Indicators of Compromise
January 2023
Malicious domains
www[.]teaimviewer[.]website
teaimviewer[.]website
www[.]lirbeoficce[.]shop
lirbeoficce[.]shop
www[.]tiaamviveir[.]online
tiaamviveir[.]online
www[.]teeamviveir[.]online
www[.]wwv9formslk[.]online
www[.]irs-w9[.]online
www[.]vww9formssk[.]online
www[.]formuisw9wirs[.]online
www[.]lirbeoficce[.]online
www[.]vvw9formsok[.]online
www[.]vvw9formsok[.]website
www[.]formuisw9wirs[.]site
www[.]libeofflce[.]shop
www[.]formswvw9[.]site
www[.]formswvw9[.]online
www[.]meformwv9w[.]online
www[.]teaamviveir[.]online
www[.]tteamviveir[.]online
www[.]vww9formssk[.]site
www[.]vww9formssk[.]website
www[.]wwv9formslk[.]space
www[.]vvw9formsok[.]site
www[.]meformwv9w[.]site
www[.]lidreoflce[.]shop
meformwv9w[.]online
vww9formssk[.]website
vvw9formsok[.]website
tteamviveir[.]online
formuisw9wirs[.]site
formswvw9[.]site
meformwv9w[.]site
libeofflce[.]shop
wwv9formslk[.]space
formuisw9wirs[.]online
vww9formssk[.]site
lidreoflce[.]shop
teeamviveir[.]online
wwv9formslk[.]online
vvw9formsok[.]site
teaamviveir[.]online
vww9formssk[.]online
teamvviveir[.]online
irs-w9[.]online
vvw9formsok[.]online
lirbeoficce[.]online
formswvw9[.]online
www[.]vww9formssk[.]space
vww9formssk[.]space
www[.]tteamviwerr[.]site
www[.]sllakieee[.]online
www[.]teammviwerr[.]site
www[.]teeamviwerr[.]site
www[.]slakkieee[.]online
www[.]teaamviwerr[.]site
www[.]lirbeoficce[.]store
www[.]slakiieee[.]online
www[.]sslakieee[.]online
www[.]annydeskc[.]online
www[.]slaakieee[.]online
www[.]ww9form[.]online
www[.]worw9form[.]online
ww9form[.]online
tteamviwerr[.]site
slakiieee[.]online
teeamviwerr[.]site
teammviwerr[.]site
worw9form[.]online
sllakieee[.]online
slaakieee[.]online
lirbeoficce[.]store
sslakieee[.]online
slakkieee[.]online
teaamviwerr[.]site
annydeskc[.]online
www[.]libbreoffice[.]online
www[.]llibreoffice[.]online
www[.]slack-app[.]website
www[.]librreoffice[.]online
www[.]aniydescka[.]website
www[.]aniydescka[.]tech
libbreoffice[.]online
slack-app[.]website
librreoffice[.]online
liibreoffice[.]online
llibreoffice[.]online
aniydescka[.]website
aniydescka[.]tech
lirbeofflce[.]shop
www[.]lirbeofflce[.]shop
www[.]formerow9[.]space
formerow9[.]space
sllack-tools[.]tech
www[.]sllack-tools[.]tech
www[.]teaamviwerr[.]online
teaamviwerr[.]online
www[.]anyddeskc[.]online
www[.]anydeeskc[.]online
www[.]aanydeskc[.]online
www[.]anyydeskc[.]online
aanydeskc[.]online
anydeeskc[.]online
anyydeskc[.]online
anyddeskc[.]online
www[.]timviwer[.]online
www[.]sslike[.]online
www[.]slakiie[.]online
www[.]timwiver[.]online
www[.]slakiie[.]site
www[.]timviver[.]online
www[.]timviiwer[.]online
www[.]slikie[.]site
www[.]slike[.]site
www[.]slakie[.]site
www[.]teamviver[.]online
www[.]amydiscke[.]site
www[.]rmsteams[.]space
www[.]slikapp[.]site
www[.]slakee[.]online
www[.]anyideck[.]site
www[.]anydak[.]site
www[.]slakiee[.]online
www[.]tiimviwer[.]online
www[.]annydesk[.]online
www[.]teamwiver[.]online
www[.]anydaske[.]site
timviver[.]online
timviwer[.]online
timviiwer[.]online
sslike[.]online
timwiver[.]online
slikie[.]site
slakie[.]site
slakiie[.]online
slike[.]site
teamviver[.]online
teamwiver[.]online
sllike[.]online
slikapp[.]site
tiimviwer[.]online
slakiee[.]online
slakiie[.]site
slakee[.]online
rmsteams[.]space
anydaske[.]site
anydak[.]site
anyideck[.]site
annydesk[.]online
amydiscke[.]site
www[.]teamwiver[.]site
teamwiver[.]site
www[.]slackapp[.]tech
slackapp[.]tech
www[.]slackapp[.]store
slackapp[.]store
www[.]tiimviwer[.]site
tiimviwer[.]site
www[.]timviwer[.]site
timviwer[.]site
www[.]lidreofflce[.]shop
lidreofflce[.]shop
www[.]slikapp[.]website
www[.]silakie[.]space
www[.]silakie[.]website
www[.]slikapp[.]tech
www[.]slakie[.]tech
www[.]libreoffjce[.]online
www[.]slacky-soft[.]tech
www[.]silakie[.]online
www[.]libreoffice[.]website
www[.]amydecke[.]tech
www[.]libreoffjce[.]website
www[.]slikapp[.]online
www[.]amydaske[.]online
www[.]slikie[.]space
www[.]slakie[.]website
www[.]slikie[.]online
www[.]libreoffice[.]space
www[.]slaikapp[.]tech
www[.]anydak[.]fun
www[.]anydaske[.]space
www[.]libreoffice[.]fun
www[.]libreoffice[.]site
www[.]anydak[.]space
www[.]amydecke[.]online
www[.]libreoffice[.]shop
www[.]amydaske[.]website
www[.]amydaske[.]tech
www[.]amydecke[.]website
silakie[.]space
silakie[.]website
slakie[.]website
silakie[.]online
slikapp[.]website
slikapp[.]online
libreoffjce[.]online
slikapp[.]tech
slakie[.]tech
slikie[.]online
slikie[.]space
libreoffice[.]fun
libreoffice[.]site
libreoffice[.]space
libreoffjce[.]website
libreoffice[.]website
libreoffice[.]shop
amydaske[.]website
amydaske[.]online
amydecke[.]tech
amydecke[.]website
slaikapp[.]tech
anydak[.]fun
amydaske[.]tech
amydecke[.]online
anydak[.]space
anydaske[.]space
slacky-soft[.]tech
www[.]anyddesk[.]online
www[.]anydeske[.]site
www[.]anydeesk[.]online
www[.]anyydesk[.]online
www[.]anydeskk[.]online
anydeskk[.]online
anyydesk[.]online
anyddesk[.]online
anydeesk[.]online
anydeske[.]site
www[.]lirbeoficce[.]website
lirbeoficce[.]website
www[.]slacky-soft[.]online
www[.]slaikapp[.]online
www[.]anyideck[.]website
www[.]anyideck[.]online
slacky-soft[.]online
slaikapp[.]online
anyideck[.]online
anyideck[.]website
www[.]anydeske[.]space
www[.]anydeske[.]fun
anydeske[.]fun
anydeske[.]space
Www[.]teamssms[.]site
teamssms[.]site
www[.]anydaske[.]website
www[.]anydak[.]online
www[.]anydak[.]website
anydak[.]website
anydaske[.]website
anydak[.]online
www[.]slike[.]online
www[.]slikie[.]website
www[.]slakieonline[.]online
www[.]slike[.]website
www[.]slakie[.]online
www[.]anydeske[.]online
www[.]anydeske[.]website
www[.]libreofflce[.]shop
www[.]likhs299us[.]tech
slikie[.]website
slakieonline[.]online
slakie[.]onlineslike[.]online
slike[.]website
likhs299us[.]tech
libreofflce[.]shop
anydeske[.]online
anydeske[.]website
www[.]slacksoft[.]tech
slacksoft[.]tech
www[.]sllack-soft[.]tech
www[.]anyidesck[.]online
www[.]anyidesck[.]tech
www[.]slack-soft[.]website
sllack-soft[.]tech
slack-soft[.]website
anyidesck[.]online
anyidesck[.]tech
www[.]msteamsqw[.]online
www[.]w9irsgob[.]online
www[.]micrmsteams[.]online
www[.]teamsmsa[.]online
www[.]tirsw9f[.]online
www[.]libraoffjlce[.]online
www[.]tirsogov[.]online
www[.]anyidesck[.]website
www[.]teamvviewier[.]tech
www[.]connecitferstcy[.]tech
tirsogov[.]online
tirsw9f[.]online
w9irsgob[.]online
teamvviewier[.]tech
teamsmsa[.]online
micrmsteams[.]online
libraoffjlce[.]online
msteamsqw[.]online
connecitferstcy[.]tech
anyidesck[.]website
www[.]liblreofice[.]website
www[.]liblreofice[.]online
www[.]liblreofice[.]store
www[.]liblreofice[.]tech
www[.]liblreofice[.]space
www[.]liwenbass33[.]shop
liblreofice[.]tech
liblreofice[.]online
liwenbass33[.]shop
liblreofice[.]website
liblreofice[.]store
liblreofice[.]space
www[.]abobe[.]tech
www[.]libeofice[.]website
www[.]abobe[.]shop
www[.]libeofice[.]store
www[.]adob[.]store
www[.]libeofice[.]tech
www[.]adob[.]tech
www[.]liblreoffice[.]tech
abobe[.]tech
libeofice[.]website
littare2e1[.]shop
liblreoffice[.]tech
libeofice[.]store
libeofice[.]tech
adob[.]store
abobe[.]shop
Adob[.]tech
LD4
Malware sample hashes
360417f75090c962adb8021dbb478f67 [VT]
3e0f28bcaf35af2802f45b58f49481be
590d96a7be55240ad868ebec78ce38f2
8c658b9b02814927124351484c42a272 [VT]
9f68d1a4b33e3ace6215040dc9fc73e8 [VT]
b4610d340a9bff58616543b10e961cd3
baa784967fd0558715f4011a72eb872e [VT]
bd4a92d4577ddedeb462a71cdf2fa934
bea60bab50d47f239132890a343ae84c [VT]
d38f6f01bb926df07d34de0649f608f6 [VT]
d6ef4778f7dc9c31a0a2a989ef42d2fd [VT]
d94657449f8d8c165ef88fd93e463134 [VT]
eee617806c18710e8635615de6297834 [VT]
f4b0a6ab164f7c58cccce651606caede [VT]
Malware sample hashes (unpacked)
00b981b4d3f47bcbd32dfa37f3b947e5 [VT]
09bc2a1aefbafd3e7577bc3c352c82ad [VT]
1b0ec09ca4cb7dcf5d59cea53e1b9c93
3c5f002b46ef11700caca540dcc7c519
498d5e8551802e02fe4fa6cd0425c608
58169007c2e7a0d022bc383f9b9476fe [VT]
7808d22a4343b2617ceef63fd0d43651
7eea48e592c4bccbfa3929b1b35a7c0b
89b4dd18bea842fddd021aa74d109ec3
a3539bc682f39406c050e5233058c930 [VT]
ac39f1a22538f0211204037cce30431d
c1989d25287cd9044b4d936e73962e35
c7facfffad15a9c84239b495770183bb
cde05576e7c48ca89d2f21c283a4a018 [VT]
Network indicators
Domains
astope[.]xyz
binchfog[.]xyz
damnater[.]com
daydayvin[.]xyz
dodsman[.]com
dodstep[.]cyou
fineg[.]xyz
fingerpin[.]cyou
fishenddog[.]xyz
giantos[.]xyz
gigeram[.]com
gigiman[.]xyz
gigimas[.]xyz
higmon[.]cyou
isteros[.]com
kidup[.]xyz
lionnik[.]xyz
logotep[.]xyz
mainwog[.]xyz
mamount[.]cyou
minotos[.]xyz
pinki[.]cyou
pipap[.]xyz
prises[.]cyou
reaso[.]xyz
rorfog[.]com
tornton[.]xyz
vavilgo[.]xyz
IP addresses
5[.]182.36.248 (CH) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
5[.]182.37.136 (RU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
5[.]182.38.43 (HU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
5[.]182.38.68 (HU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
5[.]252.23.238 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
45[.]8.147.179 (SE) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
45[.]8.147.215 (SE) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
45[.]67.34.75 (RO) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
45[.]67.34.172 (RO) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
45[.]67.34.245 (RO) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
45[.]67.229.39 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
45[.]89.54.122 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
45[.]89.54.152 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
45[.]95.11.62 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
45[.]140.146.241 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
45[.]142.212.87 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
45[.]150.67.4 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
77[.]75.230.62 (CZ) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
77[.]91.72.15 (HU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
94[.]131.100.71 (FI) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
94[.]131.100.209 (FI) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
94[.]131.106.8 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
94[.]131.106.16 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
94[.]131.107.13 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
94[.]131.107.132 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
94[.]131.107.252 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
141[.]98.169.6 (FI) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
185[.]250.148.35 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
188[.]119.112.104 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
193[.]38.54.157 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
User-Agent strings
Mozilla/5.0 (Windows NT <os_version>; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Mozilla/5.0 (Windows NT <os_version>; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36