Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Ursnif

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)
ID: S0386
Associated Software: Gozi-ISFB Dreambot PE_URSNIF
Type: MALWARE
Platforms: Windows
Version: 1.5
Created: 04 Jun 2019
Last Modified: 12 Sep 2024

Associated Software Descriptions

Name Description
Gozi-ISFB (Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)
Dreambot (Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016)
PE_URSNIF (Citation: TrendMicro Ursnif Mar 2015)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Ursnif has used HTTPS for C2.(Citation: TrendMicro Ursnif Mar 2015)(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Ursnif has used Registry Run keys to establish automatic execution at system startup.(Citation: TrendMicro PE_URSNIF.A2)(Citation: TrendMicro BKDR_URSNIF.SM)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017)

.005 Command and Scripting Interpreter: Visual Basic

Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.(Citation: TrendMicro PE_URSNIF.A2)

Enterprise T1074 .001 Data Staged: Local Data Staging

Ursnif has used tmp files to stage gathered information.(Citation: TrendMicro Ursnif Mar 2015)

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Ursnif has used a DGA to generate domain names for C2.(Citation: ProofPoint Ursnif Aug 2016)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Ursnif droppers have used COM properties to execute malware in hidden windows.(Citation: Bromium Ursnif Mar 2017)

Enterprise T1070 .004 Indicator Removal: File Deletion

Ursnif has deleted data staged in tmp files after exfiltration.(Citation: TrendMicro Ursnif Mar 2015)

Enterprise T1056 .004 Input Capture: Credential API Hooking

Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.(Citation: TrendMicro Ursnif Mar 2015)

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

Ursnif droppers have used COM objects to execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.(Citation: TrendMicro Ursnif Mar 2015)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Ursnif droppers execute base64 encoded PowerShell commands.(Citation: Bromium Ursnif Mar 2017)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.(Citation: ProofPoint Ursnif Aug 2016) Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.(Citation: Bromium Ursnif Mar 2017)

Enterprise T1055 .005 Process Injection: Thread Local Storage

Ursnif has injected code into target processes via thread local storage callbacks.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro PE_URSNIF.A2)(Citation: FireEye Ursnif Nov 2017)

.012 Process Injection: Process Hollowing

Ursnif has used process hollowing to inject into child processes.(Citation: FireEye Ursnif Nov 2017)

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Ursnif has used Tor for C2.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016)

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.(Citation: TrendMicro Ursnif File Dec 2014)

Groups That Use This Software

ID Name References
G0127 TA551

(Citation: Cybereason Valak May 2020) (Citation: Unit 42 Valak July 2020) (Citation: Unit 42 TA551 Jan 2021) (Citation: Secureworks GOLD CABIN)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.