Ursnif

Ursnif (also known as Gozi or Dreambot) is a banking trojan and spyware. It steals financial data and user credentials, mainly banking info. Originated in the 2000s, Ursnif has become one of the most persistent and adaptable malware families since its source code was made public. This has allowed attackers to fork and add new features.

Key Insights

Ursnif is a highly modular malware that can adapt to different attack scenarios. Originally a banking trojan, it has added info-stealing, remote access, and data exfiltration. Its sophisticated delivery and persistence mechanisms make it a top threat in the cybercriminal world.

Evolution Through Source Code Disclosures

Ursnif’s modularity is one of its hallmarks, thanks to its public source code. Threat actors have created multiple variants for different campaigns. This has increased its reach, allowing it to be used across various attack vectors, including phishing and exploit kits.

Tactics and Techniques

Ursnif uses advanced evasion techniques to evade security defenses. It often uses phishing emails to deliver payloads, using macros in Microsoft Office documents or malicious links. Once executed, it creates persistence through registry modifications and process injection, so it has continuous access to the infected system.

Known Variants

Gozi, Dreambot, Papras are some of the known variants of Ursnif. Each variant is modified for different attack scenarios, such as targeting specific banks or using advanced evasion techniques. These variants have prolonged its lifespan and effectiveness.

Mitigation Strategies

Install anti-malware and keep software up-to-date.
Enable multi-factor authentication.
Monitor for suspicious traffic.
Educate users to spot phishing emails.

Targeted Industries or Sectors

Ursnif targets the financial sector, banks, payment systems and their customers. Retail and healthcare industries have also been hit, especially when handling financial transactions.

Associated Threat Actors

Ursnif has been linked to Eastern European cybercriminal groups that specialize in financial fraud. No specific group names are attributed but it is used in organized crime networks that target high-value financial targets.