The Ursnif Trojan (also known as Gozi ISFB or Dream bot) is one of the most prolific information-stealing Trojans in the cybercrime landscape. Since its reappearance in early 2013, it has been constantly evolving. In 2015, its source code was leaked and made publicly available on Github, which led to further development of the code by different threat actors who improved it and added new features.

The trojan is often spread by exploit kits, email attachments, and malicious links. Ursnif has continued to evolve over the last few months, adding Tor and peer-to-peer (P2P) capabilities in July 2016. Though the function exists, few of the Ursnif samples use the Tor network as their primary mode of communication with the C2 infrastructure. When the Angler exploit kit was widely used, it was used to deliver the Ursnif trojan.

In May, Ursnif was delivered in a malvertising campaign by the Neutrino exploit kit. In August, the trojan was delivered by the RIG exploit kit. Ursnif has been delivered by email throughout 2016 and targeted users in the United States, Australia, Canada, Italy, Poland, Switzerland, and the United Kingdom. The attackers used Microsoft Word attachments with malicious macros to distribute Ursnif to US victims

Over the past few years, Japan has been among the top countries targeted by Ursnif’s operators. In 2018, Cybereason, as well as other security companies, reported about attacks where Ursnif (mainly the Dreamboat variant) and Bebloh (also known as URLZone and Shiotob) were operating in conjunction. In these joint campaigns, Bebloh is used as a downloader that runs a series of tests to evaluate whether it is running in a hostile environment (for example, it checks to see if it is running on a research VM). Once the coast is clear, it downloads Ursnif, which carries out its core information-stealing functions.

The sample spread in February 2019 use two new features: the first one is a several obfuscated Powershell stage in order to evade AVs and reduce its detection, the second one is the use of steganography technique. The latter permit to hide code into a legit image manipulating specific bits. Next, another code performs decryption and execution of malicious code into the victim machine.

In March 2019 another weaponized variant of Ursnif has been detected: in this case, to spread the malicious software, a google drive document combined with an obfuscated VBA Script is used over steganography. The last sample shown in the previous table is similar to February’s sample but include another interesting feature: in this case, a first VBS stage is encrypted using the Vigenere cipher; this allows to hide its malicious code and evade many sandboxes environment.

For any Cyber Security information contact help@theweborion.com