Cylance vs. URSNIF Infostealer Malware

Background

URSNIF is an information stealing malware with a wide range of malicious abilities. The threat first attracted notice in 2007 while delivering the Gozi trojan via infected PDF email attachments. URSNIF made a resurgence in 2016 and 2017, becoming the most active malware to hit the financial sector. Initially aimed at financial institutions in English-speaking nations, URSNIF spread to Japan and Eastern Europe after its code was leaked in 2010.

URSNIF primarily targets banks but has been used to steal user credentials for email, private cloud access, e-commerce sites, and cryptocurrency trading. The malware still relies on phishing emails with infected attachments to deliver its payload. Memory analysis suggests URSNIF can infect USB storage devices.

URSNIF Analyzed

Cylance Threat Research recently analyzed URSNIF to identify changes in the newest variant. One early discovery was an update to the OS requirement. Classic URSNIF could execute on Windows XP. Our sample requires Windows 7 (32-bit) or newer. Another difference involves URSNIF checking for C:%filename%.txt. If found, further checks for a virtual environment are ignored.

To achieve persistence on a system, the malware creates two registry keys. It employs API hooks which allow it to collect email credentials, webcam footage, image files, audio files, and screen captures. Our test version of the malware also monitored browsers by hooking the following files:

BROWSER                                                        HOOKED FILES
Google Chrome                                              WS2_32.DLL, KERNEL32.DLL and CHROME.DLL
Mozilla Firefox                                                NSS3.DLL and NSPR4.DLL
Microsoft Internet Explorer                    (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog