Trojan:W32/Ursnif

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Ursnif, Trojan:W32/Ursnif, Trojan.Spy.Ursnif, Trojan.GenericKD.30550163, Gozi, ISFB

Summary

Ursnif steals system information and attempts to steal banking and online account credentials.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

Check for the latest database updates

First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample

After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning

If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

Note: You need administrative rights to change the settings.

Technical Details

Behavior

Upon execution, Ursnif checks for the presence of any virtual or debugging environments; if found, it will show a fake alert message box with the text, "Error Initializing Client App!". It also performs process hollowing on svchost.exe or explorer.exe and injects a dll file (client.dll) based on the system enviornment (whether it is 32- or 64-bit).

Afterwards, it tries to steal multiple pieces of information from the system and store them in a file. It then connects to a malicious command and control (C&C) server.

Infection Vector

Ursnif is typically encountered when the user inadvertently opens a malicious file attachment that arrives via a spam email message.

Files Added

Create a copy of itself at "%appdata%\[Random_Folder]\[Dropped_Filename].exe" where "Dropped_Filename" is a combination of strings taken from %system32% directory filenames.
Creates a batch file at "%temp%\[Random_Folder]\[Random_File].bat" to execute and delete itself.
Creates a storage file at %temp%\[Random_Hex].bin to store the stolen data. Stolen data is in cab file format, which is created by executing makecab.exe. The storage file contains the following information:
- Installed Device Drivers - Collected by executing driverquery.exe
- Installed Programs - Collected by executing reg.exe "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
- System Information - Collected by executing systeminfo.exe
- Current running process - Collected by executing tasklist.exe /SVC

Registry Changes

Adds the following registry key to run at startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[Dropped_Filename]:
"%appdata%\[Random_Folder]\[Dropped_Filename].exe
HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Vars
HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Files
HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Config

Network Activity

It connects to the following server:

bergesoma[.]com/images/[encryted_data]/[.jpeg|.gif|.bmp]
polinodara[.]com/images/[encryted_data]/[.jpeg|.gif|.bmp]

Where encrypted_data contains the Username, Compute Name, Version of Injected process, System IP address and malware specific configuration details.

Other Behavior

The malware also has the capability to:

Steal email data, which is collected by parsing different email file formats and applications (.wab, .pst)
Intercept the data and web-forms of the following browsers: Chrome, Internet explorer, Thunderbird, Firefox
Check for the presence of a virtual environment by checking the Device Informaton string against "vbox", "qemu", "vmware", "virtual hd"
Detect Phishwall software

Analysis on file: b3764e1a3d0f7d164436d565226800f3c06a58ec