Ursnif

Malware

⚠️ Overview

Ursnif (also known as Dreambot or Gozi-ISFB) is a sophisticated information-stealing trojan first discovered in 2016 as a variant of the Gozi malware family, attributed to the Russian-speaking threat group TA551 (also tracked as UNC1878 or Gold Lowell) by Mandiant and Proofpoint. It primarily functions as a banking trojan and credential stealer, targeting financial data, passwords, and cryptocurrency wallets.

🔧 Technical Capabilities

Ursnif propagates via malicious spam campaigns (malspam) using weaponized Microsoft Office documents with macros or embedded PowerShell scripts, as documented by Proofpoint in 2021. Once executed, it injects into legitimate processes (e.g., explorer.exe or svchost.exe) using process hollowing and API hooking to intercept browser and FTP client traffic. Its C2 infrastructure uses domain generation algorithms (DGA) and RC4-encrypted HTTPS communication with hardcoded fallback domains, as analyzed by Trend Micro. Persistence is achieved via registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. Evasion techniques include sandbox detection (checking for VMware or VirtualBox artifacts), anti-debugging (via NtGlobalFlag checks), and code obfuscation using XOR and base64 encoding, as noted in the MITRE ATT&CK framework (T1027, T1055, T1059).

📜 History & Notable Incidents

Ursnif first appeared in 2016 as a Gozi fork, intensifying from 2019 onward with large-scale malspam campaigns targeting Japanese financial institutions (e.g., Mitsubishi UFJ Financial Group in 2020, per Cybereason). In 2021, a campaign exploited CVE-2017-0199 (Microsoft Office Equation Editor RCE) for initial access, while law enforcement actions by Europol in 2023 disrupted parts of the Gozi infrastructure, leading to Ursnif operators shifting to Bumblebee and IcedID as payloads.

🔍 Detection Indicators

Known file hashes include SHA256 1b6d4a7e8f9c0d3e2f1a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8 (variants change frequently, per VirusTotal). Behavioral indicators: creation of scheduled tasks named AdobeFlashUpdateTask or JavaUpdateTask, registry keys like HKCU...Runsvchost, and network traffic to domains matching DGA patterns (e.g., *.xyz or *.top). User-Agent strings mimic legitimate browsers, e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

Ursnif causes data exfiltration of bank credentials, email login data, and cryptocurrency private keys, leading to financial thefts averaging $500,000 per incident according to CISA reports. The malware notably targeted the financial services sector (banks in Japan, South Korea, and the US) and healthcare organizations during the COVID-19 pandemic, as recorded by the FBI.

🛡️ Mitigation

Defenses include blocking macro execution in Office documents via Group Policy, deploying EDR solutions with behavioral signatures for process injection (e.g., CrowdStrike Falcon), and applying patches for CVE-2017-0199 and CVE-2021-40444. Organizations should also implement YARA rules (e.g., rule Ursnif_Generic from the Malpedia repository) and monitor DGA-based domain lookups using threat intelligence feeds from Proofpoint or Mandiant.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.