Ursnif Malware Banks on News Events for Phishing Attacks

Amit Gadhave

Last updated on: December 22, 2022

Ursnif (aka Gozi, Dreambot, ISFB) is one of the most widespread banking trojans. It has been observed evolving over the past few years. Ursnif has shown incredible theft capabilities. In 2020 Ursnif rose to prominence becoming one of the top ten most prolific pieces of malware. Among its core functionalities are stealing credentials, downloading other malware, working as a keylogger, among others.

Ursnif is mostly spread through spear phishing emails. Its attacks are often targeted at banking, financial services, and government agencies. In phishing emails, it tries to impersonate government authorities and leverage current events in the news to gain user trust, which leads to initial access to the victim’s system. Once the user opens the malicious attachment, the trojan uses User Agents that imitated Zoom and Webex in a further effort to blend in and allow for exploitation. This behavior was observed during the peak of the pandemic.

Technical Analysis of Ursnif Malware

Infection Chain

In our analysis, phishing emails with a macro embedded XLS attachment or a zip attachment containing an HTA file initiated the infection chain, as pictured below.

Fig. 1 Infection chain

Infection Scenario 1: XLS Document Analysis

A malicious XLS document (fig. 2) pretends to be a document related to DHL, the shipping company. It contains VBA macro code to download a binary file from the URL embedded in the document. Once the User enables macro content, the macro gets executed which further downloads the executable binary.

Fig. 2 Malicious XLS document

After downloading the binary file, it retrieves the handle of explorer.exe process and calls UpdateProcThreadAttribute to perform parent PID spoofing (fig. 3).

Fig. 3 VBA macro code performing PPID spoofing

In the parent process of the dropped executable, (1440.exe) is spoofed to explorer.exe. to evade detection (fig. 4).

Fig. 4 PPID spoofing

Infection Scenario 2: HTA Document Analysis

In another infection scenario, we observed that the phishing email is sent with a zip attachment having an HTA file. After de-obfuscating several layers, PowerShell script downloads a DLL file from an embedded URL and executes it using rundll32.exe. The extension used for the remote DLL is .txt, a feasible way to evade the watchful eyes of most security products.

Below, figure 5 shows several obfuscation layers in the HTA sample:

Fig. 5 HTA document analysis

Technical Analysis of Ursnif Loader

Ursnif loader contains several layers of in-memory unpacking routines which are observed in malware families like zloader, emotet, and others. It rewrites an in-memory image with a new unpacked binary that uses the Thread APC injection technique to execute malicious code in another thread of a current process. Once the control is passed to the final loader, it decrypts the BSS section.

The BSS section contains important configuration details in encrypted form, such as libraries and API names, string formats for sending data to Command & Control (CnC), registry entries, bat commands format, PowerShell commands format, HTA application format, etc. These configuration details are required for performing further activities. Below, figures 7 and 8 reveal that the malware uses campaign date as a key to decrypt the BSS section.

Fig. 6 BSS section decryption routine
Fig. 7 Decrypted BSS section content

Ursnif parses the configuration details through the JJ structure present in the PE (Portable Executable) header (fig. 9). The JJ structure contains the config blob address, config size, CRC Hash of decoded config and XOR key used to decode the config blob.

Fig. 8 JJ header of loader

Below, figure 10 reveals the configuration details present in the blob.

Fig. 9 Configuration blob of loader

The malware process iterates through CnC and uses these configuration details to generate a http GET request to CnC as shown in figure 10. It collects some information from the host machine like computer name, username, uptime, and CRC.

Fig. 10 HTTP GET request

Below are parameters which are encrypted in the GET request:

soft, version, user, server, id, crc, uptime, size, hash, dns, whoami

Parameters like soft and version are hardcoded in the binary. Here, the version might specify the malware binary version.

The user parameter is generated using username, computer name, and the result of _CPUID instruction. It may be used by the threat actor to uniquely refer to execution instance.

The server and id values are taken from the extracted config.

The uptime parameter is a result of the QueryPerformanceCounter API.

Further, it encrypts a http request with (AES-CBC mode) using a 128-bit key present in the extracted config and performs BASE64 encoding. It performs transformations like replacing +, / with _2B, _2F respectively and inserts / at random locations.

Figure 11 shows a typical encrypted http GET request.

Fig. 11 Encrypted request

If CnC is active, it responds with encrypted data in BASE64 encoded form. In recent versions (2.60.xxx), we observed that sometimes data is not base64 encoded. Below, figure 12 shows a typical response from the server:

Fig. 12 Encrypted response

Ursnif malware first decodes the base64 string and then decrypts the last 0x80 bytes using an RSA key embedded in the config. Below, figure 13 reveals the RSA key present in the config.

Fig. 13 RSA key present in the sample
Fig. 14 Implementation for RSA decryption logic

The last 0x80 bytes holds required information to decrypt the full response like a MD5 hash of the decrypted data, the key to decrypt data, and the size of the data to decrypt (fig. 15).

Fig. 15 Last 0x80 bytes of response

Once the full response is decrypted (AES-CBC mode) using the key received, it will validate the decrypted data by checking the MD5 hash. Ursnif can take a different action based on the response received. In our analysis, we observed that the decrypted data is the final payload of Ursnif.

Technical Analysis of Ursnif Payload

In our analysis, we saw that the final payload is a keylogger. Once control is transferred to the payload, it will connect to the CnC address extracted from its config and download an RSA encrypted browser account grabber module.

After decryption, it collects Chrome, Firefox, and Microsoft Edge browsers’ sensitive info like credentials, cookies, etc. via this grabber module, compresses it, and AES (Advanced Encryption Standard) encrypts it using the key from config. Further, it sends this information to the attacker’s CnC via http post request (figs. 16, 17). While sending information, it uses the following different values for the post parameter type to differentiate the kind of information it is sending. Some values include:

Type=6 – System info
Type=15 – Key logged data, clipboard etc.
Type=20 – Saved browser credentials
Type=22 – Cookies

Fig. 16 Sending credentials
Fig. 17 Sending cookies

Ursnif malware also collects and sends the following sensitive system information:

  1. Output of System Info command
  2. List of processes – task list /svc
  3. List of installed drivers – driver query
  4. Registry query information (details of installed applications) –
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  5. Output of Net config workstation

Ursnif then starts capturing keylogging and clipboard events in the system and sends it to the attacker’s CnC at regular intervals. All the data it sends is first compressed and then AES encrypted using the key present in the config.

Based on Ursnif’s code, the malware also has the capability to download and execute binary and upload files and screenshots from the victim’s system.

Based on our analysis, one thing is clear: Ursnif is bad news.




XLS document:
Hta document: DC21DB5D469BD554E41C8AEA35324E875475418AE23EB2378265636F0F781F85
Browser account grabber

Ursnif Mitre Att&ck TTP Map:

Initial AccessExecutionPersistenceprivilege EscalationDefense EvasionCredential AccessDiscoveryCollectionCommand and ControlExfiltration
Phishing: Spear phishing Attachment (T1566.001)User Execution (T1204 .002)Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Process Injection: Asynchronous Procedure Call (T1055.004)Parent PID Spoofing (T1134.004)Credentials from Password Stores: Credentials from Web Browsers (T1555.003)Application Window Discovery (T1010)Clipboard Data (T1115)Application Layer Protocol: Web Protocols (T1071.001)Exfiltration Over C2 Channel (T1041)
Command and Scripting Interpreter: Visual Basic (T1059.005)Create or Modify System Process: Windows Service (T1543.003)Obfuscated Files or Information (T1027)Input Capture: Keylogging (T1056.001)Process Discovery (T1057)Input Capture: Keylogging (T1056.001)Ingress Tool Transfer (T1105)
Command and Scripting Interpreter: PowerShell (T1059.001)Process Injection: Asynchronous Procedure Call (T1055.004)Input Capture: GUI (Graphical User Interface) Input Capture (T1056.002)Query Registry (T1012)Input Capture: GUI Input Capture (T1056.002)
Windows Management Instrumentation (T1047)System Binary Proxy Execution – Regsvr32 (T1218.010)Steal Web Session Cookie (T1539)System Information Discovery (T1082)Data from Configuration Repository: Network Device Configuration Dump (T1602.002)
System Binary Proxy Execution – Rundll32 (T1218.011)System Service Discovery (T1007)

Detection, Mitigation or Additional Important Safety Measures

Beware of emails

  • Don’t open attachments and links from unsolicited emails. Delete suspicious looking emails you receive from unknown sources, especially if they contain links or attachments. Cybercriminals use ‘social engineering’ techniques to lure users into opening attachments or clicking on links that lead to infected websites.

Disable macros for Microsoft Office

  • Don’t enable macros in document attachments received via email. A lot of malware infections rely on your action to turn ON macros.
  • Consider installing Microsoft Office Viewers. These viewer applications let you see what documents look like without even opening them in Word or Excel. More importantly, the viewer software doesn’t support macros at all, so this reduces the risk of enabling macros unintentionally.

Show Comments (4)


Your email address will not be published. Required fields are marked *

    1. Hi @benjamin,

      Ursnif malware injects the code in explorer.exe. Further malicious explorer.exe process downloads browser account grabber module and execute it in memory. This is well known technique abused by ursnif malware.