{
	"id": "b939e669-015c-47bb-be91-c64737303541",
	"created_at": "2026-04-06T00:09:20.663393Z",
	"updated_at": "2026-04-10T03:20:35.109114Z",
	"deleted_at": null,
	"sha1_hash": "0bd4a9228cd337cb58009542579f59d96b046e81",
	"title": "Ursnif Variant Dreambot Adds Tor Functionality | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1013024,
	"plain_text": "Ursnif Variant Dreambot Adds Tor Functionality | Proofpoint US\r\nBy August 25, 2016 Proofpoint Staff\r\nPublished: 2016-08-29 · Archived: 2026-04-05 12:45:31 UTC\r\nIntroduction\r\nOne of the most active banking Trojans that we have observed recently in email and exploit kits is one often referred to as\r\nUrsnif or Gozi ISFB [5]. Thanks to Frank Ruiz from FoxIT InTELL, we know that the actor developing one of its variants\r\nsince 2014 has named this variant Dreambot. The Dreambot malware is actively evolving, and recent samples in particular\r\ncaught our attention for their addition of Tor communication capability, as well as peer-to-peer (P2P) functionality.\r\nDreambot is currently spreading via numerous exploit kits as well as through email attachments and links.\r\nIt should be noted that while Dreambot is one of the most active and prevalent Ursnif variants, there are other active forks\r\nincluding “IAP”. The Gozi ISFB source has been leaked, making way for additional development efforts.\r\nAnalysis\r\nThe Dreambot malware is still in active development and over the last few months we have seen multiple versions of it\r\nspreading in the wild. The Tor-enabled version of Dreambot has been active since at least July 2016, when we first observed\r\nthe malware successfully download the Tor client and connect to the Tor network. Today, many Dreambot samples include\r\nthis functionality, but few use it as their primary mode of communication with their command and control (C\u0026C)\r\ninfrastructure. However, in the future this feature may be utilized much more frequently, creating additional problems for\r\ndefenders.\r\nFor this analysis, we looked at version 2.14.845, which has a configuration that differs from the others Dreambot versions in\r\nthat the domain generation algorithm (DGA) is not used: therefore, the DGA variables and parameters are missing. The\r\nfollowing is an example of decrypted configuration data with sections of interest highlighted in red.\r\nFigure 1: Decrypted configuration data used by Dreambot\r\nThere are three types of URLs present in the decrypted configuration. The first type of URL listed in the configuration data\r\nis used for the plain HTTP (that is, non-Tor) communication with C\u0026C servers. The bot reports to the C\u0026C server using the\r\ntypical request pattern: for example, the initial checkin to the C\u0026C server is in the form of: cfg_url + “/images/” +\r\nencoded_data + (.jpeg|.gif|.bmp).\r\nThe second type of URL that appears in the configuration data (highlighted in red box in Fig. 1) are the .onion C\u0026C\r\naddresses. They are the default choice for the bot and work in the same way the plain HTTP C\u0026C’s do, except that all\r\ncommunication is encrypted and tunneled over Tor.\r\nThe third set of URLs is used to download the Tor client. We believe the client is decrypted using the configuration serpent\r\nkey [6]. When the Tor client is retrieved, the bot creates a registry key named “TorClient” in the registry subfolder to store\r\nits data. This subfolder is located in HKCU\\\\Software\\AppDataLow\\Software\\Microsoft\\{random guid}. This key contains\r\nthe path to the client, which is dropped in the %TMP% folder, with a filename using the pattern [A-F0-9]{4}.bin.\r\nFigure 2: TorClient registry key\r\nhttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\r\nPage 1 of 11\n\nThe registry key value is easy to decrypt, as the XOR-based algorithm [7] is reused in much of the code (e.g., for decryption\r\nof the strings in the .bss section). The 4-byte key is generated at runtime based on the TOKEN_USER value XORed with\r\n0xE8FA7DD7.\r\nFor the two types of POST HTTP requests (Tor and non-Tor), the configuration includes a check of the Tor flag (here at\r\neax+10). If this flag is set, Dreambot sends both the C\u0026C checkins and the data upload requests using Tor.\r\nFigure 3: Configuration flags for communicating via Tor\r\nIn addition to the Dreambot with Tor functionality, we have observed a P2P-enabled versions (e.g. version 2.15.798) that has\r\nbeen around considerably longer. Spread alongside the other variants this version utilizes the usual DGA or hard-coded\r\naddresses as well as what appears to be a peer-to-peer protocol to communicate. This functionality needs an additional IP in\r\nthe configuration that delivers the nodes list. This protocol operates over TCP and UDP and uses a custom packet format.\r\nDue to the addition of this functionality, the client code surface is almost twice as big as that of the Tor version. We are still\r\ninvestigating the functionality and will not go into deeper detail at this time.\r\nExploit Kit Campaigns\r\nOne early interesting example of Dreambot delivery came from an instance of the Niteris exploit kit. Several months after\r\nthat, we spotted the same redirection chain but instead to an undocumented 2-step flash Nuclear Pack. This particular\r\nNuclear Pack behaved similarly to Spartan EK from the same coder in which an initial flash payload acted as a filter before\r\nsending the exploit and payload to end users. GooNky and AdGholas actors also commonly used Angler EK to deliver\r\nDreambot while Angler was still highly active. Figures 4-7 show these infection chains.\r\nFigure 4: 09-11-2015 - Compromised AdAgency with high volume traffic chain to Niteris [4] \r\nFigure 5: 02-03-2016 - Same redirection chain but instead redirecting to an undocumented 2-step Flash Nuclear Pack [5]\r\nhttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\r\nPage 2 of 11\n\nFigure 6: 04-11-2016 - Malvertising run by GooNky in Switzerland \r\nFigure 7: 05-10-2016 - Malvertising run by AdGholas in Switzerland\r\nFigure 8 shows Dreambot delivery in a Japan-focused malvertising campaign using Neutrino EK while Figure 9 shows a\r\nrecent sample of Dreambot as a secondary payload via the ElTest and the Smokebot Trojan. In the latter example, we can see\r\nthis instance of Dreambot is using Tor to connect to C\u0026C infrastructure.\r\nFigure 8: 07-09-2016 - Japan-focused malvertising based on the redirector’s domain\r\nFigure 9: 08-15-2016 - EITest infection chain into Smokebot loading an instance of Dreambot using Tor to connect to C\u0026C\r\nEmail Campaigns\r\nDreambot has been actively distributed via email in 2016. We have noted campaigns targeting various regions including\r\nAustralia, Italy, Switzerland, United Kingdom, United States, Poland, and Canada. These campaigns have ranged from\r\nthousands to hundreds of thousands of malicious email messages. We show few examples of these campaigns using links or\r\ndocument attachments leading to the installation of Dreambot.\r\nIn the first example, the actor used a lure claiming the recipient had been subpoenaed by the Federal Court of Australia. If\r\nthe user were to follow the link they would be greeted by a web page purporting to be the official court site. If the user then\r\nfollowed the instructions, they would be led to a download of a zipped JavaScript file that, when executed, led to a\r\nDreambot download.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\r\nPage 3 of 11\n\nFigure 10: 07-08-2016 - Message used to distribute Dreambot in Australia\r\nFigure 11: 07-08-2016 - Fake court website leading to the download of Dreambot\r\nhttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\r\nPage 4 of 11\n\nIn the next example, users in Australia were targeted with an email pretending be associated with Microsoft and Office365.\r\nThe link in the email led directly to a zipped JavaScript downloader hosted on Microsoft Sharepoint; opening the file would\r\ninstall DreamBot. (Proofpoint researchers notified Microsoft about the hosted malware).\r\nFigure 12: 08-11-2016 - Message used to distribute Dreambot in Australia via Microsoft SharePoint\r\nIn the following example, users in the United States received messages with attachments purporting to contain a record of a\r\npayment. The Microsoft Word document attachment contained malicious macros that, if enabled, downloaded Dreambot.\r\nFigure 13: 06-08-2016 - Message used to distribute Dreambot in the United States\r\nhttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\r\nPage 5 of 11\n\nFigure 14: 07-08-2016 - Microsoft Word attachment with malicious macros used to deliver Dreambot in the United States\r\nIn the next campaign, users in Switzerland received personalized messages in German containing their name and company\r\nname, claiming to attach an invoice for an order. The Microsoft Word attachment contained macros that, if enabled, would\r\ndownload Dreambot.\r\nFigure 15: 08-10-2016 - Message distributing Dreambot in Switzerland\r\nhttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\r\nPage 6 of 11\n\nFigure 16: 08-10-2016 - Microsoft Word attachment used to deliver Dreambot in Switzerland\r\nIn another example, users in Poland were sent a personalized message using their name with a fake invoice document\r\nattachment for one of their purchases. The Microsoft Word attachments contained macros that, if enabled, would download\r\nDreambot.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\r\nPage 7 of 11\n\nFigure 17: 06-22-2016 - Message used to distribute Dreambot in Poland\r\nFigure 18: 06-22-2016 - Microsoft Word attachment used to distribute Dreambot in Poland\r\nConclusion\r\nDreambot is one of the most active banking Trojans we have seen recently, with distribution vectors across a variety of\r\nexploit kits and both malicious document attachment and URL-based email campaigns. Often referred to as Ursnif and Gozi\r\nISFB, Dreambot is being distributed in countries around the world and is under active development. In particular, we have\r\nobserved samples with C\u0026C communications enabled over both Tor and P2P. For Tor-enabled versions in particular,\r\nDreambot activity on infected machines can be especially hard to detect at the network level, creating new challenges for\r\ndefenders and IT organizations alike.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\r\nPage 8 of 11\n\nWe will continue to monitor Dreambot and its growing list of capabilities as the banking Trojan landscape evolves.\r\nReferences\r\n1. https://fidelissecurity.com/threatgeek/archive/new-ursnif-variant-targeting-italy-and-us/\r\n2. https://www.govcert.admin.ch/blog/13/swiss-advertising-network-compromised-and-distributing-a-trojan\r\n3. https://securityblog.switch.ch/2016/02/10/attack-of-the-killer-ads/\r\n4. http://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\n5. https://securityintelligence.com/gozi-goes-to-bulgaria-is-cybercrime-heading-to-less-chartered-territory/#.VdQEtfnddi8\r\n6. https://en.wikipedia.org/wiki/Serpent_(cipher)\r\n7. https://en.wikipedia.org/wiki/XOR_cipher\r\nIndicators of Compromise (IOC’s)\r\nPayloads delivered by Exploit Kits:\r\nHash Date Description Vector\r\na14d9ad2b03dd5f6360139f2772a303066ed292c51b0777cbece7b92d4a9e62c\r\n2015-\r\n09-11\r\nDreambot\r\nChain of\r\nCompromise\r\nto Niteris\r\n1448a395e741a419e5e7abb3f3bc2e6c46588823f093c93c695fffe0a69c17ee\r\n2016-\r\n04-11\r\nDreambot\r\nGooNky\r\nMalvert into\r\nAngler\r\ne06b753aa98e1b8fdc7c8ee1cbd07f5d46b2bbf88ebc8d450c8f24c6e79520a4\r\n2016-\r\n05-10\r\nDreambot\r\nAdGholas\r\nMalvertising\r\ninto Angler\r\nbd3c470fc6999212373c2c31b08d9944d4bee3baf79bd75a233743ad64845481\r\n2016-\r\n05-10\r\nDreambot\r\nEITest chain\r\ninto Angler\r\n54405a8cfa557b33e5a1e0c5b69433fce900c96a34496949da501c844b0e7919\r\n2016-\r\n06-03\r\nDreambot\r\n(P2P)\r\n1dca7b73070679b796a2318c6e11ed0bb65bf66e5cc782b475bb43d735915e6c\r\n2016-\r\n06-03\r\nDreambot\r\nEITest chain\r\ninto Angler\r\n0d6014f1d2487230c3bb38f31d2742577f84fd2f2e0d97be5fb9cf28b7ab6de9\r\n2016-\r\n07-09\r\nDreambot Malvertising\r\nto Neutrino\r\nf70a7b04a475c7140049ec586eb3f7c7a3480ddaac53c15db4905915e9dea52b\r\n2016-\r\n07-20\r\nDreambot\r\nEITest chain\r\ninto Neutrino\r\n8664c68d5c1ef72f32485c61704ce4fb350c95952a17908908a420443b411414\r\n2016-\r\n07-20\r\nDreambot\r\nUndocumented\r\nactor into\r\nNeutrino\r\nc25b56c5ea2d0af3cf6057f974f1c3a06845ab41f61c8895aaaad55aafaeed7e\r\n2016-\r\n08-12\r\nDreambot\r\nUndocumented\r\nactor into RIG\r\nhttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\r\nPage 9 of 11\n\n04ea4e0417f1f49bc349efe7ee07c0bdf145a98dd7358610f598395246b4c433\r\n2016-\r\n08-15\r\nDreambot\r\nUndocumented\r\nactor into RIG\r\n54405a8cfa557b33e5a1e0c5b69433fce900c96a34496949da501c844b0e7919\r\n2016-\r\n08-15\r\nDreambot\r\nEITest chain\r\ninto RIG\r\n8aa2442fb7a489d0c7f50a2220e0fd4ead270ff812edc3721a49eec5784a1ad6\r\n2016-\r\n08-15\r\nDreambot\r\n(tor)\r\nEITest chain\r\ninto RIG into\r\nSmokebot\r\n446a639371b060de0b4edaa8789f101eaeae9388b6389b4c852cd8323ec6757c\r\n2016-\r\n08-15\r\nSmokebot\r\nEITest chain\r\ninto RIG\r\n396bd75514ab92e007917c1d136f1993466c0913a532af58386ccb99d5f60ef3\r\n2016-\r\n08-24\r\nIAP Malvertising\r\ninto RIG\r\nPayloads delivered by Email:\r\nHash/Link D\r\n0edde27c90bbb55d80b89a2ce0baa21feb69a1420dbb1a15059b6bdfde994fde\r\n2\r\n0\r\n[hxxp://easypagemachine[.]com/kshf[.]jpg]\r\n2\r\n0\r\n2720d7cc899337adf5f021eeddb313f4317fc46f9c6e83bde9f47458b2d955e7\r\n2\r\n0\r\n6e0da9199f10ff5bd6d2f4e5309cde2332d534cbb3364e15cb0f7873455e0eb5\r\n2\r\n0\r\n[hxxp//safiidesign[.]com/winword[.]bin]\r\n2\r\n0\r\n7e0bf604d3ab673a519feb5d5375f0f88cf46e7cd1d3aa301b1b9fb722e9cef7\r\n2\r\n0\r\n[hxxp://pechat-suveniri[.]com/mam5pcan8wynct/hwd7popy[.]php]\r\n2\r\n0\r\n0195bf393584b203334c4ca3934e72e388e8e579cde35fa8db892d2ee306dc16\r\n2\r\n0\r\n[hxxp://ue-craft[.]ru/1ryvq8owo/rukdl1[.]exe]\r\n2\r\n0\r\nhttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\r\nPage 10 of 11\n\n84bc2608707859a0643be642128b351757dc1f43f5b0a88b5448764dfc23487d\r\n2\r\n0\r\nb6d6fc672f8b45eed0e88601dea2390e7d0dc01e63840ab840613dd3d6939ad7\r\n2\r\n0\r\n[hxxp://one99two[.]com/cgi/office16[.]bin]\r\n2\r\n0\r\n85f68545c6d98dd6a6a00859ec136d8a8fd06c20ce189e39ce78f6685da40d4e\r\n2\r\n0\r\n[hxxps://searchfinancial-my[.]sharepoint[.]com/personal/tariq_searchfinancial_com_au/_layouts/15/guestaccess[.]aspx?\r\nguestaccesstoken=4GPoi4OBx0cZ%2bhMi6vHvpfR1vqc9vmqwU6WuwK6%2b7U8%3d\u0026docid=0ec6abef70a134e70978ed191c8364229\u0026rev=1]\r\n2\r\n0\r\n414b3cbc230768d9930e069cb0b73173fe9951e82486f0d6524addf49052d5ad\r\n2\r\n0\r\n[hxxp://www[.]wizardwebhosting[.]com/css/header[.]css]\r\n2\r\n0\r\n3cde892a8faddd4aaf90e8455698719516ab96ea6d116af21353c08375d457b9\r\n2\r\n0\r\nSelect ET Signatures that would fire on such traffic:\r\n2021813 || ET TROJAN Ursnif Variant CnC Beacon\r\n2021829 || ET TROJAN Ursnif Variant CnC Beacon 4\r\n2022970 || ET TROJAN Ursnif Variant CnC Beacon 6\r\n2018789 || ET POLICY TLS possible TOR SSL traffic\r\nMultiple ||  ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group **\r\nSource: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\r\nhttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality\r\nPage 11 of 11\n\nDreambot while Angler Figure 4: 09-11-2015 was still highly active. - Compromised AdAgency Figures 4-7 show with high volume these infection traffic chain to chains. Niteris [4] \nFigure 5: 02-03-2016 -Same redirection chain but instead redirecting to an undocumented 2-step Flash Nuclear Pack [5]\n  Page 2 of 11  \n\nhttps://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality   \nFigure 10: 07-08-2016 -Message used to distribute Dreambot in Australia\nFigure 11: 07-08-2016 -Fake court website leading to the download of Dreambot\n  Page 4 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality"
	],
	"report_names": [
		"ursnif-variant-dreambot-adds-tor-functionality"
	],
	"threat_actors": [],
	"ts_created_at": 1775434160,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0bd4a9228cd337cb58009542579f59d96b046e81.pdf",
		"text": "https://archive.orkl.eu/0bd4a9228cd337cb58009542579f59d96b046e81.txt",
		"img": "https://archive.orkl.eu/0bd4a9228cd337cb58009542579f59d96b046e81.jpg"
	}
}