⚠️ Overview

Get2 is a downloader malware first reported in April 2022 by researchers at Proofpoint, operated by the financially motivated threat actor tracked as TA544 (also associated with the Ursnif/Gozi campaign). It belongs to the downloader category, primarily serving as a first-stage payload to fetch and execute secondary malware such as Ursnif, IcedID, and BumbleBee.

🔧 Technical Capabilities

Get2 propagates via malicious email campaigns using PDF attachments or ZIP archives containing JavaScript or VBS downloaders. Its attack vector leverages social engineering, often using invoice or purchase order lures. The malware communicates with its C2 infrastructure over HTTP or HTTPS, using encrypted requests and JSON-based callbacks for tasking. Persistence is achieved through registry Run keys or scheduled tasks. Evasion techniques include anti-sandbox checks (CPU temperature, disk size, process enumeration) and use of obfuscated JavaScript stagers to bypass email security gateways. It can also perform reconnaissance by gathering system information (username, OS version, installed AV) before requesting the next-stage payload.

📜 History & Notable Incidents

The first public analysis of Get2 was published by Proofpoint in April 2022, linked to campaigns targeting European healthcare, manufacturing, and logistics organizations. In September 2022, researchers observed Get2 delivering the Ursnif banking trojan in campaigns against Italian and French entities. No CVEs are directly attributed to Get2; however, it exploits document macros and user interaction. As of 2023, TA544 continues to use Get2 in intermittent campaigns, with no known law enforcement actions specifically against this malware family.

🔍 Detection Indicators

Network IOCs include HTTP POST requests to C2 domains with specific URI patterns (e.g., /gate.php, /check.php) and User-Agent strings like "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)". File hashes are campaign-specific; Proofpoint's 2022 report provided MD5s such as e6a1b8c9f2d4e5a7b3c1d9f0e8a7b6c5. Behavioral signatures include creation of temporary JavaScript files in %TEMP% and execution of PowerShell commands with encoded arguments. Registry persistence is created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.

☠️ Risk & Impact

Get2 itself is a low-risk downloader, but its delivery of banking trojans like Ursnif can lead to credential theft, financial fraud, and data exfiltration. Affected sectors include healthcare, manufacturing, and logistics in Europe. Financial losses are indirect, tied to downstream ransomware or wire fraud from secondary payloads. The primary impact is disruption of business operations and compromise of sensitive information.

🛡️ Mitigation

Organizations should implement email filtering to block attachments with JavaScript or macros, enable endpoint detection rules for Get2's C2 communication patterns, and apply Proofpoint’s IOCs. Network segmentation and user awareness training against invoice-themed phishing are recommended. Specific YARA rules for obfuscated JS downloaders are available in public threat intelligence repositories.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.