Threat Spotlight: URSNIF Infostealer Malware

Research by Yasmine Ison of the Cylance Threat Guidance Team

URSNIF (Gozi) is a multifaceted malware family with an emphasis on information stealing that has been leveraged to exfiltrate sensitive data from targets, and has been particularly pervasive throughout 2016 and 2017. Since 2007, variants of the malware have been detected in Europe, Japan, and Australia, with more recent outbreaks in the US and UK.

The malware is most often used to target banks, but has also been used to attack email, cloud, commercial, and cryptocurrency trading websites, and is typically propagated by way of phishing campaigns utilizing tainted email attachments. Based on memory analysis, the malware also appears to have the capability to spread to external USB devices and hard drives.

When an URSNIF infection is successful, it will fingerprint the system, monitor web browser traffic, and then send all the data out to the command and control (C&C) server. The server then will drop second stage malware based on the information that tailored the targeted system.

File Information     

SHA256: 3E840F21F0EAE2F688BA9E8204AEC22985CC69757B928202A8ADEF0885404EA2
Type: Win32 EXE
Size: 233472 bytes
Timestamp: Tue Nov 28, 10:28:50 2017
ITW Names: avicbrkr.exe, adprtext.exe, catsobby.exe, cmdlnsta.exe

Technical Analysis

The payload is packed with a Delphi overlay, making it a little harder to disassemble and analyze on a binary level. With that being said, memory analysis was also used to complete this analysis along with some disassembly. The file analyzed in the paper needs to run in Windows 7, 32-bit or later, unlike previous versions of URSNIF that were able to run on systems as early as Windows XP.

There, malware authors employ a check in the binary for the file C:%filename%.txt – if it exists, checks for a virtualized environment are ignored. When the file is executed in a Virtual Machine (VM), it (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog