Ursnif
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Gozi-ISFB | (Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016) |
| PE_URSNIF | (Citation: TrendMicro Ursnif Mar 2015) |
| Dreambot | (Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Ursnif has used HTTPS for C2.(Citation: TrendMicro Ursnif Mar 2015)(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Ursnif has used Registry Run keys to establish automatic execution at system startup.(Citation: TrendMicro PE_URSNIF.A2)(Citation: TrendMicro BKDR_URSNIF.SM) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017) |
| .005 | Command and Scripting Interpreter: Visual Basic |
Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.(Citation: TrendMicro PE_URSNIF.A2) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Ursnif has used tmp files to stage gathered information.(Citation: TrendMicro Ursnif Mar 2015) |
| Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
Ursnif has used a DGA to generate domain names for C2.(Citation: ProofPoint Ursnif Aug 2016) |
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Ursnif droppers have used COM properties to execute malware in hidden windows.(Citation: Bromium Ursnif Mar 2017) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Ursnif has deleted data staged in tmp files after exfiltration.(Citation: TrendMicro Ursnif Mar 2015) |
| Enterprise | T1056 | .004 | Input Capture: Credential API Hooking |
Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.(Citation: TrendMicro Ursnif Mar 2015) |
| Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
Ursnif droppers have used COM objects to execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.(Citation: TrendMicro Ursnif Mar 2015) |
| Enterprise | T1055 | .005 | Process Injection: Thread Local Storage |
Ursnif has injected code into target processes via thread local storage callbacks.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro PE_URSNIF.A2)(Citation: FireEye Ursnif Nov 2017) |
| .012 | Process Injection: Process Hollowing |
Ursnif has used process hollowing to inject into child processes.(Citation: FireEye Ursnif Nov 2017) |
||
| Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
Ursnif has used Tor for C2.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) |
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.(Citation: TrendMicro Ursnif File Dec 2014) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0127 | TA551 |
(Citation: Cybereason Valak May 2020) (Citation: Unit 42 Valak July 2020) (Citation: Unit 42 TA551 Jan 2021) (Citation: Secureworks GOLD CABIN) |
References
- NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019.
- Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
- Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
- Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.
- Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
- Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
- Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
- Caragay, R. (2014, December 11). Info-Stealing File Infector Hits US, UK. Retrieved June 5, 2019.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
- Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.