{
	"id": "df19ebcf-e80b-45a8-986b-0aa8bc46ba66",
	"created_at": "2026-04-06T00:06:18.772921Z",
	"updated_at": "2026-04-10T03:21:59.777044Z",
	"deleted_at": null,
	"sha1_hash": "10fdf5c8686b1fbc15374b61fe32052c5d131ed1",
	"title": "URSNIF: The Multifaceted Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66093,
	"plain_text": "URSNIF: The Multifaceted Malware\r\nBy By: Trend Micro March 27, 2015 Read time: 2 min (621 words)\r\nPublished: 2015-03-27 · Archived: 2026-04-05 17:11:48 UTC\r\nThe URSNIF malware family is primarily known for being a data-stealing  malware, but it's also known for\r\nacquiring a wide variety of behavior. Known URSNIF variants include backdoors (BKDR_URSNIF.SM), spyware\r\n(TSPY_URSNIF.YNJ), and file infectors (PE_URSNIF.A-O). December 2014: Rise in URSNIF infections\r\nbrought about by file infection routines In December 2014 we discussed a rise in URSNIF infections,\r\nprimarily in North America,  which were due to the addition of file infection to URSNIF's routines. The\r\nvirus inserts the host file into its resource section, instead carrying out typical file infection routines like patching\r\nhost files (via inserting malicious code). These variants targeted the following files:\r\n*.PDF (detected as PE_URSNIF.A-O)\r\n*.MSI (detected as PE_URSNIF.A1)\r\n*setup*.exe (detected as PE_URSNIF.A2)\r\nFebruary 2015: Another URSNIF outbreak seen The February outbreak showed that the malware widened its\r\nscope and improved its stealth mechanism. The URSNIF variants are detected as PE_URSNIF.B-O and\r\nPE_URSNIF.B. It uses strings already found in legitimate system files for its properties such as its file name,\r\nfolder name, and registry entries. This is done to hide itself alongside other legitimate system files. The file names\r\nit uses are a combination of legitimate system file names; for example, the malware will name itself cmdlnsta.exe,\r\na combination of legitimate file names cmdl32.exe and rwinsta.exe. URSNIF was known to exhibit this behavior\r\nbefore it became a file infector. It also injects its code separately into each target process, perhaps to avoid\r\nmemory scanners. We also noted that the hardcoded strings in this URSNIF wave are the same ones found in the\r\nDecember variants. March 2015: URSNIF variants seen infecting more file types URSNIF variants seen this\r\nmonth (PE_URSNIF.E-O and PE_URSNIF.E) have further widened their scope. This new wave now infects more\r\nfile types, including Microsoft Office documents, spreadsheets, and presentation files. It uses strings from system\r\nfiles (as the earlier variants did), and uses existing folder names to name the dropped files in order to trick fool\r\nusers into running them. This technique was not particularly effective, as it did not hide the original folder. The\r\ntable below compares the recent URSNIF variants:\r\nPre-file\r\ninfector\r\nDecember 2014 February 2015 March 2015\r\nInfected files None *.PDT, *.MSI, *SETUP*.EXE *.PDF, *.MSI, *.EXE\r\n*.PDF, *.MSI,\r\n*.EXE, *.PPT,\r\n*.PPTX, *.DOC,\r\n*.DOCX,\r\n*.XLS, *.XLSX\r\nhttps://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-\r\n744063452.1505819992\r\nPage 1 of 3\n\nName used in\r\nremovable drive\r\npropagation\r\nNone Temp.exe Temp.exe\r\n{Folder\r\nName}.exe\r\nUse random\r\nstrings for file\r\nnames?\r\nYes No Yes Yes\r\nInject routines\r\nseparately?\r\nNo No Yes No\r\nPolymorphic? No Yes Yes Yes\r\nURSNIF's known hooking functions URSNIF is traditionally also known for hooking various executable files in\r\norder to monitor browsers. It hooks WS2_32.DLL and KERNEL32.DLL or CHROME.DLL to monitor Google\r\nChrome, NSS3.DLL and NSPR4.DLL to monitor Mozilla Firefox, and WININET.DLL to monitor Internet Explorer.\r\nIt also monitors other browsers like Opera and Safari. Recent URSNIF variants have significantly modified the\r\nexact system APIs that it's been hooking for years. Hooking these APIs allows the malware to perform a wide\r\nvariety of information theft, such as taking screenshots, by intercepting the data contained in various normal\r\ncommands. Together with the hooked APIs, this allows for powerful information theft capabilities. The list of\r\nhooked APIs is below.\r\n2012-2013 2013-2014 2014-2015\r\nInternetReadFile InternetReadFile HttpOpenRequestA\r\nInternetReadFileExA InternetReadFileExA HttpOpenRequestW\r\nInternetReadFileExW InternetReadFileExW HttpSendRequestA\r\nHttpSendRequestA HttpSendRequestA HttpSendRequestW\r\nHttpSendRequestW HttpSendRequestW HttpQueryInfoA\r\nHttpOpenRequestA HttpQueryInfoA HttpQueryInfoW\r\nHttpOpenRequestW HttpQueryInfoW InternetReadFile\r\nInternetConnectA HttpAddRequestHeadersA InternetReadFileExA\r\nInternetConnectW HttpAddRequestHeadersW InternetReadFileExW\r\nInternetQueryDataAvailable InternetConnectA InternetQueryDataAvailable\r\nInternetConnectW PR_Read\r\nInternetQueryDataAvailable PR_Write\r\nhttps://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-\r\n744063452.1505819992\r\nPage 2 of 3\n\nPR_Read PR_Close\r\nPR_Write PR_Poll\r\nPR_Close PR_Available\r\nWSARecv LoadLibraryA\r\nWSASend LoadLibraryW\r\nClosesocket LoadLibraryExA\r\nLoadLibraryExW LoadLibraryExW\r\nssl_write\r\nssl_read\r\nssl_close\r\nURSNIF has been constantly evolving in recent months, showing multiple faces of itself and displaying a wide\r\nvariety of behavior. It shows no clear signs of dying down, which means that the malware will continue to pose\r\nrisks to users across various segments.\r\nSource: https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.htm\r\nl?_ga=2.165628854.808042651.1508120821-744063452.1505819992\r\nhttps://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-\r\n744063452.1505819992\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992"
	],
	"report_names": [
		"ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992"
	],
	"threat_actors": [],
	"ts_created_at": 1775433978,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/10fdf5c8686b1fbc15374b61fe32052c5d131ed1.pdf",
		"text": "https://archive.orkl.eu/10fdf5c8686b1fbc15374b61fe32052c5d131ed1.txt",
		"img": "https://archive.orkl.eu/10fdf5c8686b1fbc15374b61fe32052c5d131ed1.jpg"
	}
}