Ursnif
Associated Software Descriptions |
|
Name | Description |
---|---|
Gozi-ISFB | (Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016) |
Dreambot | (Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) |
PE_URSNIF | (Citation: TrendMicro Ursnif Mar 2015) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Ursnif has used HTTPS for C2.(Citation: TrendMicro Ursnif Mar 2015)(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Ursnif has used Registry Run keys to establish automatic execution at system startup.(Citation: TrendMicro PE_URSNIF.A2)(Citation: TrendMicro BKDR_URSNIF.SM) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017) |
.005 | Command and Scripting Interpreter: Visual Basic |
Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017) |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.(Citation: TrendMicro PE_URSNIF.A2) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Ursnif has used tmp files to stage gathered information.(Citation: TrendMicro Ursnif Mar 2015) |
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
Ursnif has used a DGA to generate domain names for C2.(Citation: ProofPoint Ursnif Aug 2016) |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Ursnif droppers have used COM properties to execute malware in hidden windows.(Citation: Bromium Ursnif Mar 2017) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Ursnif has deleted data staged in tmp files after exfiltration.(Citation: TrendMicro Ursnif Mar 2015) |
Enterprise | T1056 | .004 | Input Capture: Credential API Hooking |
Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.(Citation: TrendMicro Ursnif Mar 2015) |
Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
Ursnif droppers have used COM objects to execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.(Citation: TrendMicro Ursnif Mar 2015) |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
Ursnif droppers execute base64 encoded PowerShell commands.(Citation: Bromium Ursnif Mar 2017) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.(Citation: ProofPoint Ursnif Aug 2016) Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.(Citation: Bromium Ursnif Mar 2017) |
||
Enterprise | T1055 | .005 | Process Injection: Thread Local Storage |
Ursnif has injected code into target processes via thread local storage callbacks.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro PE_URSNIF.A2)(Citation: FireEye Ursnif Nov 2017) |
.012 | Process Injection: Process Hollowing |
Ursnif has used process hollowing to inject into child processes.(Citation: FireEye Ursnif Nov 2017) |
||
Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
Ursnif has used Tor for C2.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) |
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.(Citation: TrendMicro Ursnif File Dec 2014) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0127 | TA551 |
(Citation: Cybereason Valak May 2020) (Citation: Unit 42 Valak July 2020) (Citation: Unit 42 TA551 Jan 2021) (Citation: Secureworks GOLD CABIN) |
References
- Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
- Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
- NJCCIC. (2016, September 27). Ursnif. Retrieved September 12, 2024.
- Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.
- Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
- Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
- Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
- Caragay, R. (2014, December 11). Info-Stealing File Infector Hits US, UK. Retrieved June 5, 2019.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
- Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.