Trojan:W32/Ursnif

GO TO: Summary | Removal | Technical Details

Classification

Category: Malware

Type: Trojan

Platform: W32

Aliases: Ursnif, Trojan:W32/Ursnif, Trojan.Spy.Ursnif, Trojan.GenericKD.30550163, Gozi, ISFB

Summary

Ursnif steals system information and attempts to steal banking and online account credentials.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Behavior

Upon execution, Ursnif checks for the presence of any virtual or debugging environments; if found, it will show a fake alert message box with the text, "Error Initializing Client App!". It also performs process hollowing on svchost.exe or explorer.exe and injects a dll file (client.dll) based on the system enviornment (whether it is 32- or 64-bit).

Afterwards, it tries to steal multiple pieces of information from the system and store them in a file. It then connects to a malicious command and control (C&C) server.

Infection Vector

Ursnif is typically encountered when the user inadvertently opens a malicious file attachment that arrives via a spam email message.

Files Added

Create a copy of itself at "%appdata%\[Random_Folder]\[Dropped_Filename].exe" where "Dropped_Filename" is a combination of strings taken from %system32% directory filenames.
Creates a batch file at "%temp%\[Random_Folder]\[Random_File].bat" to execute and delete itself.
Creates a storage file at %temp%\[Random_Hex].bin to store the stolen data. Stolen data is in cab file format, which is created by executing makecab.exe. The storage file contains the following information:
- Installed Device Drivers - Collected by executing driverquery.exe
- Installed Programs - Collected by executing reg.exe "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
- System Information - Collected by executing systeminfo.exe
- Current running process - Collected by executing tasklist.exe /SVC

Registry Changes

Adds the following registry key to run at startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[Dropped_Filename]:
"%appdata%\[Random_Folder]\[Dropped_Filename].exe
HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Vars
HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Files
HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Config

Network Activity

It connects to the following server:

bergesoma[.]com/images/[encryted_data]/[.jpeg|.gif|.bmp]
polinodara[.]com/images/[encryted_data]/[.jpeg|.gif|.bmp]

Where encrypted_data contains the Username, Compute Name, Version of Injected process, System IP address and malware specific configuration details.

Other Behavior

The malware also has the capability to:

Steal email data, which is collected by parsing different email file formats and applications (.wab, .pst)
Intercept the data and web-forms of the following browsers: Chrome, Internet explorer, Thunderbird, Firefox
Check for the presence of a virtual environment by checking the Device Informaton string against "vbox", "qemu", "vmware", "virtual hd"
Detect Phishwall software

Analysis on file: b3764e1a3d0f7d164436d565226800f3c06a58ec

Analysis by: Neeraj Singh