URSNIF
Ursnif is a banking trojan and backdoor malware family also referred to in the provided content as Dreambot, Gozi, and Gozi-ISFB/ISFB. The content describes it as one of the most common commodity banking trojans worldwide and as part of the broader ISFB ecosystem that evolved from leaked Gozi source code into multiple branches, including Dreambot. Its capabilities include theft of stored data and banking credentials, web injections, form grabbing, keylogging, browser-focused credential theft, VNC and SOCKS proxy functionality, screen recording, email and file theft, victim fingerprinting, and the ability to update itself remotely or install additional modules. Multiple sources in the content also note its use as a loader or access-enablement platform for second-stage payloads, including ransomware-related follow-on activity.
The content links Ursnif to numerous delivery and distribution mechanisms. It has been delivered through phishing and malspam campaigns using malicious Office documents with macros, password-protected ZIP attachments, compressed scripts, hidden HTA/VBScript/JavaScript stages, and exploit-kit or malvertising chains. Specific examples in the content include TA544 campaigns in Japan and Italy, TA551 malspam activity, TA577 phishing campaigns, URLZone infections that subsequently download Ursnif, BrushaLoader delivery in Italy, DanaBot-distributed payloads, and Angler/Bedep malvertising activity. The content also notes that Ursnif droppers have used COM properties to execute malware in hidden windows, that Ursnif has registered itself as a Windows service in the Registry for persistence at startup, and that variants have used TLS callback manipulation during child-process injection.
Associated threat activity in the content includes TA544, TA551, and TA577, as well as broader criminal ecosystems using ISFB/Dreambot branches. Targeting described in the content includes banking customers and organizations in Japan and Italy in particular, with additional campaigns affecting Germany, Poland, Canada, the United States, and other regions depending on the actor or branch. Industries explicitly mentioned in TA544 campaigns include IT, technology, marketing, and manufacturing. Infrastructure-related reporting in the content ties Ursnif campaigns to tier-1 command-and-control infrastructure and to BraZZZerS fast-flux/proxy protection used by several ISFB branches, especially Dreambot.
High-confidence indicators and examples directly mentioned in the content include the static IAP2-associated encryption key "10291029JSJUYNHG"; old Android-malware-related C2 infrastructure used with Dreambot operations including facebouk[.]net, web5401[.]com, 178.79.145[.]141, and webnat[.]host; an example VNC/SOCKS management server 185.212.149.162; and campaign/infrastructure references such as a June 2023 Ursnif campaign targeting Italy and an Ursnif C2 server browneyandrebun[.]net at 107.170.83.113 observed in a fileless Angler/Bedep campaign. The content also references Ursnif variants and affiliate identifiers including Ursnif 1000 and Italian 4XXX derivatives such as 4777, 4778, 4779, and 4780.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Using the known Internet Explorer vulnerability CVE-2016-0162, the encoded script attempts to verify that it is not being run in a monitored environment such as a malware analyst’s machine.
The landing page loads a Flash file that is able to exploit three different vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the version of Flash found on the victim's system.
The landing page loads a Flash file that is able to exploit three different vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the version of Flash found on the victim's system.
The landing page loads a Flash file that is able to exploit three different vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the version of Flash found on the victim's system.
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA551, also known as Shathak or Gold Cabin, is an attacker group that is responsible for spreading a wide variety of malware families including IcedID, Valak, Ursnif and, more recently, BazarLoader.
TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020.
Delivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.
Ursnif is a common banking Trojan that can: Steal stored data including passwords from banking websites via web injections, proxies and VNC connections Update itself or install modules remotely.
Since the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks.
The threat cluster relies heavily on Remote Monitoring and Management (RMM) tools, unlike UNC2686 which deployed BAZARLOADER variants as well as TRICKBOT, URSNIF, and SILENTNIGHT.
Techniques & procedures
36 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
4 techniques
Initial Access
TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020. More recently, they have delivered Pikabot and DarkGate malware.
Execution
5 techniques
Execution
It may be delivered via password-protected Zip files; Microsoft Office document attachments with malicious macros; or compressed JScript, JavaScripts, or Visual Basic scripts.
Ursnif 4779 is deployed via one of two primary methods: (1) Microsoft Excel attachments with malicious macros... or (2) steganographic images that conceal malicious PowerShell commands which install Ursnif.
There is no indication of TA544 abandoning their primary payload delivery mechanism (malicious Microsoft Office VBA macros), although we have seen an increase in the use of steganographic images.
By relying on basic social engineering – an attack technique that takes advantage of human traits such as curiosity, trust and greed in order to obtain confidential information or to have the victim perform a certain action – it is suffice to say that certain threat actors (both criminal and nation state) are exploiting these unprecedented times for various nefarious means.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
7 techniques
Stealth
When the user enables the document macro, the obfuscated code downloads and installs malware, usually URLZone and/or Ursnif as noted above.
One notable characteristic of TA544 is their use of steganography, which is the process of concealing code within images.
Thread Local Storage (TLS) callback injection is a technique that entails manipulating pointers within a portable executable (PE) to redirect a process to malicious code before it reaches the code’s legitimate entry point.
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
It filters out security researchers and sandboxes using checks including Maxmind, task counts, task names, and recent file counts.
Credential Access
3 techniques
Credential Access
Discovery
3 techniques
Discovery
Victims fingerprinting : the malware can collect local information about the victim computer, OS type, IP address, computer name, list of Anti-Virus applications, check if the computer is attached to a Domain Controller etc.
Collection
5 techniques
Collection
the malware injects itself into the web browser and capture every HTTP POST request, which makes credential and stealing credit card easy.
After the infection, a webinject is deployed by Dreambot on the victim browsers and when that victims logs into the online banking service, credentials are intercepted to be later reused by the carder.
The main feature of the module is injecting code into the web browser that will monitor which websites the victims are visiting. If a banking website is identified, ISFB injects a small snippet of JavaScript into the online banking website to steal the login credentials.
Command and Control
10 techniques
Command and Control
Indicators the NetmanageIT Threat Intelligence team shared about a June 2023 Ursnif campaign targeting Italy report many remote destinations hosting Ursnif tier 1 command and controls sharing the same hostname
In the log we can see that: A client 96.57.xx.xxx Sent a web request “GET tuneappservice.org/l3k42hj56h634gkj2lk14356jk4gh23k5jl6h4/gate.php?ped=RTY3M0E4NjhDQ0I5JE1DLTEwNw” We can see here what looks like a malware callback, it’s in fact Riltok.
That’s why carders use a VNC connection to the victim's computer or a SOCKS proxy to tunnel their connection. Dreambot offers both of those techniques by design.
The service is described as a Fast flux but in reality it’s more a simple proxy system. BraZZZers rents a pool of VPSs all around the internet and uses them as proxy IPs in order to hide the real IP of a server.
with the first integration of Tor onion as available C2.
One of the very important features of Dreambot is the capability to drop a 2nd stage implant to any infected bot.
When a victim is infected by Dreambot, a VNC connection and/or a SOCKS proxy is set-up on the victim computer... he will connect directly to the victim's computer by using that VNC server and just like that he would be on the same computer at the same time with the victim, operating over a hidden desktop.
The domains involved are resolving to a list of IPs, (we observed from 1 up to more than 20 IPs per domain) that are just redirecting the traffic to the real server.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
49 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
157 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Mentioned as one of the heavyweight commodity malware families from the earlier malware-analysis era.
Named malware family referenced in an associated analytic story.
Gozi is referenced as a named malware family in the associated analytic stories, but the content does not provide behavioral detail beyond the name.
Gozi is referenced as a named malware family in the associated analytic stories, but the content does not provide behavioral details beyond its mention.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.