Ursnif Trojan: A Classic Example of Malware Persistence and Adaptability

Introduction

Multiple variants

Tactics, Techniques, and Procedures (TTPs)

• In July 2010, attackers infiltrated online check archiving and verification services and scraped online job sites to send personalized messages to people looking for jobs using Ursnif malware.
• In 2013, Gozi’s developers update the malware with a Master Boot Record (MBR) rootkit feature, increasing its persistency.
• In February 2016, a new Ursnif trojan build was observed using a code injection technique to inject malicious code inside Microsoft Edge.
• In February 2017, the Ursnif leveraged a spam botnet and a set of compromised web servers to infect users in Japan and Europe. The spam botnet was used to deliver phishing emails. 
• In June 2018, the attackers were observed delivering the Ursnif via a post-tax scam campaign. The spam email carried malicious URLs that ultimately installed malware downloader written in VBScript.
• In May 2019, attackers used a combination of phishing attacks, PowerShell scripts, and steganography to infect users in Japan with Ursnif. 
• In February 2020, a spam campaign was observed infecting Windows users in Italy with Ursnif trojan. Malicious VB Script was used to execute the malware, which was later replaced with Dharma ransomware.
• In April 2021, three banking trojans Gozi ISFB, QBot, and BokBot were observed being used in conjunction with a malicious document builder named EtterSilent to evade detection. 
• In November 2022, a cybercrime group named Disneyland Team was found leveraging Punycode attacks to mimick the domains of popular banks. This enabled threat actors to infect victims with Gozi 2.0 malware.
• In January 2023, a new variant of the URSNIF was discovered. It was named 'LDR4,' and believed to be purposely built for enabling operations such as ransomware and data theft extortion.
• In March 2023, a malware downloader, called BATLOADER, was seen abusing Google Ads to deliver Vidar info stealer and Ursnif trojan. The malicious ads spoofed genuine apps and services.

Attacks and Victimology

• Google Ads - Last month, BatLoader malware was observed delivering Vidar Stealer and Ursnif as secondary payloads while abusing Google Ads.
• Ameriprise - In November 2022, the adversary group Disneyland Team was found using Ursnif strain to steal credentials from the U.S. financial services firm Ameriprise. 
• Mozilla - In July 2020, Mozilla had to temporarily shut down its Firefox Send service, as it was being abused by unknown attackers to deliver Ursnif malware variant.
• DHL - In August 2019, attackers were observed using a sophisticated dropper malware disguised as DHL invoices, spreading Ursnif malware to its victims.  
• GLS - In January, staff and customers of GLS were targeted via phishing emails, infecting their systems with Ursnif malware.

Closing in on Malware Developers

Mitigation

Conclusion

Indicators of Compromise