{
	"id": "6aa6171b-94f7-450c-b2d1-8a0969970d01",
	"created_at": "2026-04-06T00:11:28.29645Z",
	"updated_at": "2026-04-10T03:21:49.645683Z",
	"deleted_at": null,
	"sha1_hash": "1707b6a2192e793817a38a903992f908c8a8bbaa",
	"title": "Ursnif Malware Banks on News Events for Phishing Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1890671,
	"plain_text": "Ursnif Malware Banks on News Events for Phishing Attacks\r\nBy Amit Gadhave\r\nPublished: 2022-05-09 · Archived: 2026-04-05 16:24:14 UTC\r\nUrsnif (aka Gozi, Dreambot, ISFB) is one of the most widespread banking trojans. It has been observed evolving over the\r\npast few years. Ursnif has shown incredible theft capabilities. In 2020 Ursnif rose to prominence becoming one of the top\r\nten most prolific pieces of malware. Among its core functionalities are stealing credentials, downloading other malware,\r\nworking as a keylogger, among others.\r\nUrsnif is mostly spread through spear phishing emails. Its attacks are often targeted at banking, financial services, and\r\ngovernment agencies. In phishing emails, it tries to impersonate government authorities and leverage current events in the\r\nnews to gain user trust, which leads to initial access to the victim’s system. Once the user opens the malicious attachment,\r\nthe trojan uses User Agents that imitated Zoom and Webex in a further effort to blend in and allow for exploitation. This\r\nbehavior was observed during the peak of the pandemic.\r\nTechnical Analysis of Ursnif Malware\r\nInfection Chain\r\nIn our analysis, phishing emails with a macro embedded XLS attachment or a zip attachment containing an HTA file\r\ninitiated the infection chain, as pictured below.\r\nFig. 1 Infection chain\r\nInfection Scenario 1: XLS Document Analysis\r\nA malicious XLS document (fig. 2) pretends to be a document related to DHL, the shipping company. It contains VBA\r\nmacro code to download a binary file from the URL embedded in the document. Once the User enables macro content, the\r\nmacro gets executed which further downloads the executable binary.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks\r\nPage 1 of 9\n\nFig. 2 Malicious XLS document\r\nAfter downloading the binary file, it retrieves the handle of explorer.exe process and calls UpdateProcThreadAttribute to\r\nperform parent PID spoofing (fig. 3).\r\nFig. 3 VBA macro code performing PPID spoofing\r\nIn the parent process of the dropped executable, (1440.exe) is spoofed to explorer.exe . to evade detection (fig. 4).\r\nFig. 4 PPID spoofing\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks\r\nPage 2 of 9\n\nInfection Scenario 2: HTA Document Analysis\r\nIn another infection scenario, we observed that the phishing email is sent with a zip attachment having an HTA file. After de-obfuscating several layers, PowerShell script downloads a DLL file from an embedded URL and executes it using\r\nrundll32.exe. The extension used for the remote DLL is .txt, a feasible way to evade the watchful eyes of most security\r\nproducts.\r\nBelow, figure 5 shows several obfuscation layers in the HTA sample:\r\nFig. 5 HTA document analysis\r\nTechnical Analysis of Ursnif Loader\r\nUrsnif loader contains several layers of in-memory unpacking routines which are observed in malware families like zloader,\r\nemotet, and others. It rewrites an in-memory image with a new unpacked binary that uses the Thread APC injection\r\ntechnique to execute malicious code in another thread of a current process. Once the control is passed to the final loader, it\r\ndecrypts the BSS section.\r\nThe BSS section contains important configuration details in encrypted form, such as libraries and API names, string formats\r\nfor sending data to Command \u0026 Control (CnC), registry entries, bat commands format, PowerShell commands format, HTA\r\napplication format, etc. These configuration details are required for performing further activities. Below, figures 7 and 8\r\nreveal that the malware uses campaign date as a key to decrypt the BSS section.\r\nFig. 6 BSS section decryption routine\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks\r\nPage 3 of 9\n\nFig. 7 Decrypted BSS section content\r\nUrsnif parses the configuration details through the JJ structure present in the PE (Portable Executable) header (fig. 9). The JJ\r\nstructure contains the config blob address, config size, CRC Hash of decoded config and XOR key used to decode the config\r\nblob.\r\nFig. 8 JJ header of loader\r\nBelow, figure 10 reveals the configuration details present in the blob.\r\nFig. 9 Configuration blob of loader\r\nThe malware process iterates through CnC and uses these configuration details to generate a http GET request to CnC as\r\nshown in figure 10. It collects some information from the host machine like computer name, username, uptime, and CRC.\r\nFig. 10 HTTP GET request\r\nBelow are parameters which are encrypted in the GET request:\r\nsoft, version, user, server, id, crc, uptime, size, hash, dns, whoami\r\nParameters like soft and version are hardcoded in the binary. Here, the version might specify the malware binary\r\nversion.\r\nThe user parameter is generated using username, computer name, and the result of _CPUID instruction. It may be used by\r\nthe threat actor to uniquely refer to execution instance.\r\nThe server and id values are taken from the extracted config.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks\r\nPage 4 of 9\n\nThe uptime parameter is a result of the QueryPerformanceCounter API.\r\nFurther, it encrypts a http request with (AES-CBC mode) using a 128-bit key present in the extracted config and performs\r\nBASE64 encoding. It performs transformations like replacing + , / with _2B , _2F respectively and inserts / at\r\nrandom locations.\r\nFigure 11 shows a typical encrypted http GET request.\r\nFig. 11 Encrypted request\r\nIf CnC is active, it responds with encrypted data in BASE64 encoded form. In recent versions (2.60.xxx), we observed that\r\nsometimes data is not base64 encoded. Below, figure 12 shows a typical response from the server:\r\nFig. 12 Encrypted response\r\nUrsnif malware first decodes the base64 string and then decrypts the last 0x80 bytes using an RSA key embedded in the\r\nconfig. Below, figure 13 reveals the RSA key present in the config.\r\nFig. 13 RSA key present in the sample\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks\r\nPage 5 of 9\n\nFig. 14 Implementation for RSA decryption logic\r\nThe last 0x80 bytes holds required information to decrypt the full response like a MD5 hash of the decrypted data, the key to\r\ndecrypt data, and the size of the data to decrypt (fig. 15).\r\nFig. 15 Last 0x80 bytes of response\r\nOnce the full response is decrypted (AES-CBC mode) using the key received, it will validate the decrypted data by checking\r\nthe MD5 hash. Ursnif can take a different action based on the response received. In our analysis, we observed that the\r\ndecrypted data is the final payload of Ursnif.\r\nTechnical Analysis of Ursnif Payload\r\nIn our analysis, we saw that the final payload is a keylogger. Once control is transferred to the payload, it will connect to the\r\nCnC address extracted from its config and download an RSA encrypted browser account grabber module.\r\nAfter decryption, it collects Chrome, Firefox, and Microsoft Edge browsers’ sensitive info like credentials, cookies, etc. via\r\nthis grabber module, compresses it, and AES (Advanced Encryption Standard) encrypts it using the key from config.\r\nFurther, it sends this information to the attacker’s CnC via http post request (figs. 16, 17). While sending information, it uses\r\nthe following different values for the post parameter type to differentiate the kind of information it is sending. Some\r\nvalues include:\r\nType=6 – System info\r\nType=15 – Key logged data, clipboard etc.\r\nType=20 – Saved browser credentials\r\nType=22 – Cookies\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks\r\nPage 6 of 9\n\nFig. 16 Sending credentials\r\nFig. 17 Sending cookies\r\nUrsnif malware also collects and sends the following sensitive system information:\r\n1. Output of System Info command\r\n2. List of processes – task list /svc\r\n3. List of installed drivers – driver query\r\n4. Registry query information (details of installed applications) –\r\nreg query HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\r\n5. Output of Net config workstation\r\nUrsnif then starts capturing keylogging and clipboard events in the system and sends it to the attacker’s CnC at regular\r\nintervals. All the data it sends is first compressed and then AES encrypted using the key present in the config.\r\nBased on Ursnif’s code, the malware also has the capability to download and execute binary and upload files and\r\nscreenshots from the victim’s system.\r\nBased on our analysis, one thing is clear: Ursnif is bad news.\r\nIOCs:\r\nDomains:\r\nCloudlines[.]top\r\nlinkspremium[.]ru\r\npremiumlists[.]ru\r\nVilogerta[.]top\r\ninterblog[.]top\r\ninterforum[.]top\r\npremiumlines[.]top\r\nlinespremium[.]ru\r\nlinespremium[.]pw\r\nblogerslives[.]com\r\nblogerslines[.]com\r\nblogspoints[.]com\r\nblogspoints[.]ru\r\nfilmspoints[.]com\r\nHashes:\r\nXLS document:D39AAA321588E8B1E8FE694732B533BE31C57B60A3C1B7CF73047974606C0C64EF2CD6B4FD4FBEEDC663F59C5196F6333\r\nHta document:\r\nDC21DB5D469BD554E41C8AEA35324E875475418AE23EB2378265636F0F781F85\r\nloader:42A1D2A7885898C85524A6B18550A9E01B86E5AD1C33AF845B6AE1450EF69BFED61EE5E7B17684983EA9049F719BEB05978A813\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks\r\nPage 7 of 9\n\nPayload:CCB10C384D7A9C1D5C1C0383F97DF96B299D641FAECC7F3B4A5F31F2C0707C8A739E193792AA810BCB005DDF4606366D472FE4\r\nBrowser account grabber91C4EDD3F6C51AFFD87434A3DB15B25408C26F7B77D94E568F91B9A5C4D6337244E35DB1C2BFEEEE33F0A74\r\nUrsnif Mitre Att\u0026ck TTP Map:\r\nInitial\r\nAccess\r\nExecution Persistence\r\nprivilege\r\nEscalation\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery Collection\r\nComm\r\nand\r\nContr\r\nPhishing:\r\nSpear\r\nphishing\r\nAttachment\r\n(T1566.001)\r\nUser Execution\r\n(T1204 .002)\r\nBoot or\r\nLogon\r\nAutostart\r\nExecution:\r\nRegistry\r\nRun Keys /\r\nStartup\r\nFolder\r\n(T1547.001)\r\nProcess\r\nInjection:\r\nAsynchronous\r\nProcedure\r\nCall\r\n(T1055.004)\r\nParent PID\r\nSpoofing\r\n(T1134.004)\r\nCredentials\r\nfrom\r\nPassword\r\nStores:\r\nCredentials\r\nfrom Web\r\nBrowsers\r\n(T1555.003)\r\nApplication\r\nWindow\r\nDiscovery\r\n(T1010)\r\nClipboard\r\nData (T1115)\r\nApplic\r\nLayer\r\nProtoc\r\nWeb\r\nProtoc\r\n(T107\r\nCommand and\r\nScripting\r\nInterpreter:\r\nVisual Basic\r\n(T1059.005)\r\nCreate or\r\nModify\r\nSystem\r\nProcess:\r\nWindows\r\nService\r\n(T1543.003)\r\nObfuscated\r\nFiles or\r\nInformation\r\n(T1027)\r\nInput\r\nCapture:\r\nKeylogging\r\n(T1056.001)\r\nProcess\r\nDiscovery\r\n(T1057)\r\nInput\r\nCapture:\r\nKeylogging\r\n(T1056.001)\r\nIngres\r\nTransf\r\n(T110\r\nCommand and\r\nScripting\r\nInterpreter:\r\nPowerShell\r\n(T1059.001)\r\nProcess\r\nInjection:\r\nAsynchronous\r\nProcedure\r\nCall\r\n(T1055.004)\r\nInput\r\nCapture:\r\nGUI\r\n(Graphical\r\nUser\r\nInterface)\r\nInput\r\nCapture\r\n(T1056.002)\r\nQuery\r\nRegistry\r\n(T1012)\r\nInput\r\nCapture: GUI\r\nInput Capture\r\n(T1056.002)\r\nWindows\r\nManagement\r\nInstrumentation\r\n(T1047)\r\nSystem\r\nBinary Proxy\r\nExecution –\r\nRegsvr32\r\n(T1218.010)\r\nSteal Web\r\nSession\r\nCookie\r\n(T1539)\r\nSystem\r\nInformation\r\nDiscovery\r\n(T1082)\r\nData from\r\nConfiguration\r\nRepository:\r\nNetwork\r\nDevice\r\nConfiguration\r\nDump\r\n(T1602.002)\r\nSystem\r\nBinary Proxy\r\nExecution –\r\nRundll32\r\n(T1218.011)\r\nSystem\r\nService\r\nDiscovery\r\n(T1007)\r\nDetection, Mitigation or Additional Important Safety Measures\r\nBeware of emails\r\nDon’t open attachments and links from unsolicited emails. Delete suspicious looking emails you receive from\r\nunknown sources, especially if they contain links or attachments. Cybercriminals use ‘social engineering’ techniques\r\nto lure users into opening attachments or clicking on links that lead to infected websites.\r\nDisable macros for Microsoft Office\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks\r\nPage 8 of 9\n\nDon’t enable macros in document attachments received via email. A lot of malware infections rely on your action to\r\nturn ON macros.\r\nConsider installing Microsoft Office Viewers. These viewer applications let you see what documents look like\r\nwithout even opening them in Word or Excel. More importantly, the viewer software doesn’t support macros at all, so\r\nthis reduces the risk of enabling macros unintentionally.\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks"
	],
	"report_names": [
		"ursnif-malware-banks-on-news-events-for-phishing-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434288,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1707b6a2192e793817a38a903992f908c8a8bbaa.pdf",
		"text": "https://archive.orkl.eu/1707b6a2192e793817a38a903992f908c8a8bbaa.txt",
		"img": "https://archive.orkl.eu/1707b6a2192e793817a38a903992f908c8a8bbaa.jpg"
	}
}