{
	"id": "9574ac33-0699-4f45-8b0e-7e0350795458",
	"created_at": "2026-04-06T00:15:57.325545Z",
	"updated_at": "2026-04-10T03:22:03.71056Z",
	"deleted_at": null,
	"sha1_hash": "ca9c17a99b2744457059bd9d5569445fbc91f36a",
	"title": "New Variant of Ursnif Continuously Targeting Italy | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2697997,
	"plain_text": "New Variant of Ursnif Continuously Targeting Italy | FortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2021-01-12 · Archived: 2026-04-05 18:34:41 UTC\r\nFortiGuard Labs Threat Research Report\r\nAffected platforms:       Microsoft Windows\r\nImpacted parties:          Windows Users in Italy\r\nImpact:                           Collects Victims’ Information\r\nSeverity level:                Critical\r\nUrsnif (also known as Gozi) is identified as a banking Trojan, but its variants also include components (backdoors, spyware,\r\nfile injectors, etc.) capable of a wide variety of behaviors. \r\nThe Ursnif Trojan has been observed targeting Italy over the past year. A few days ago, FortiGuard Labs detected a phishing\r\ncampaign in the wild that was spreading a fresh variant of the Ursnif Trojan via an attached MS Word document that is\r\ncontinuously targeting Italy. \r\nAlthough Ursnif is identified as a banking Trojan, due to its C2 server’s shutdown, this latest variant has been unable\r\ndownload the malicious banking module it needs to steal banking information from the victim, causing it to fail to start the\r\nsecond stage of its attack. As a result, in this post I will share my findings around the first stage of this campaign. You will\r\nlearn what the phishing email looks like, how the MS Word document attached to the email works to download Ursnif, as\r\nwell as what this variant does on a victim’s device. \r\nUrsnif Phishing Email\r\nFigure 1.1 is a screenshot of the Ursnif phishing email. As you can see, it was written in Italian and masquerades as a\r\npayment reminder.\r\nFigure 1.1. Phishing Email and attached MS Word document\r\nI used Google Translate to translate the email content into English:\r\nDear customer, \r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy\r\nPage 1 of 10\n\nA recent accounting audit shows that your invoice number 294316 of 12/10/2020 expired on 12/11/2020. As of today, it is\r\nnot yet been paid by you.\r\nTherefore, please normalize your accounting position as soon as possible. We are also reminding you that this payment\r\ncan be made by bank transfer using the IBAN indicated in the invoice or, by bank check or bank draft.\r\nYou can consult the invoice and the details for the payment through the attached archive.\r\nWe thank you for your attention and we send you kind regards.\r\nAttached to the email is an MS Word document named “residuo_8205843.doc”. The text lures the victim into opening the\r\ndocument to get more details of the invoice.\r\nWord Document Analysis\r\nAs you may have guessed, the Word document contains malicious Macros. Once the victim opens the document in MS\r\nWord, it pops up a yellow warning bar to alert the user that the file contains Macros, as shown in Figure 2.1.\r\nFigure 2.1. Opening the attached document in MS Word program\r\nOnce the victim clicks the button to enable the Macros, malicious Macro code will be executed in background. A built-in\r\nfunction, “Document_Open()”, is automatically called first when the document is opened, as shown in Figure 2.2. \r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy\r\nPage 2 of 10\n\nFigure 2.2. Built-in function Document_Open()\r\nI noticed that the attacker creates a hidden UserForm (UserForm1) in the project, and a button’s click event function is\r\ninvoked from the Document_Open() function.\r\nFigure 2.3. Hidden UserForm\r\nThe main work of the Macro is implemented using this form. In Figure 2.2, we can see that it calls\r\n“UserForm1.CommandButton2_Click”, which belongs to the event function of the “Process” button, as shown in Figure 2.3.\r\nIt functions the same as when the victim clicks the “Process” button. Other clicked buttons also directly call their event\r\nfunctions in code.\r\nThe Macro then downloads a DLL file from a hardcoded URL, “longline[.]cyou/p1cture3[.]jpg” (refer to Figure 2.4) and\r\nresaves it into the file \"C:\\users\\public\\px.dat\". The final step the Macro performs is to run the downloaded DLL using the\r\nWindows program “RegSvr32.exe”. Figure 2.4 is the screenshot of when the Macro runs this DLL.\r\nFigure 2.4. Downloading and Running a DLL file from the hardcoded URL\r\nAnalyzing the Downloaded DLL File \r\nLike most other malware protected by a packer, this downloaded DLL file (C:\\users\\public\\px.dat) is similarly protected by a\r\npacker as well. It is started by RegSvr32.exe, and the unpack program gets called to first extract Ursnif into the memory.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy\r\nPage 3 of 10\n\nUrsnif’s DllEntryPoint() function will be called at the end by the unpack program. Figure 3.1 is a screenshot of the unpacked\r\nDllEntryPoint() function.\r\nFigure 3.1. Unpacked DllEntryPoint() function\r\nAccording to my analysis, this function’s main task is to decompress another PE file that is secretly kept in the “.reloc”\r\nsection. Next, it loads this PE file into a file mapping memory by calling API CreateFileMappingW() and MapViewOfFile())\r\nand executing the code in it. This decompressed PE file is the core module of this variant of Ursnif.\r\nFigure 3.2. Call core module’s entry function\r\nIn Figure 3.2, we can see that the malware is about to call the entry function of the core module that has been loaded at the\r\nbase address 0x330000.\r\nDecrypting the Configuration Block in the Core Module\r\nUrsnif has an encrypted configuration block inside the PE’s “.bss” section to protect its data from easy analysis. So,\r\ndecrypting the configuration block is the first thing that it needs to do. The code snippet responsible for decrypting the\r\nconfiguration block is shown in Figure 4.1, below.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy\r\nPage 4 of 10\n\nFigure 4.1. Code snippet for decrypting the configuration block\r\nGoing through the decrypted configuration block, we can see that it contains a number of ASCII and Unicode strings, as\r\nwell as binary data. The values from the configuration block are accessed throughout the core module. Let’s see what it can\r\nget from the decrypted configuration block. Following is a partial list of its strings.\r\n\"invalidcert\"\r\n\"overridelink\"\r\n\"%08X-%04X-%04X-%04X-%08X%04X\"\r\n\"StdRegProv\"\r\n\"/images/\"\r\n\"version=%u\u0026soft=%u\u0026user=%08x%08x%08x%08x\u0026server=%u\u0026id=%u\u0026type=%u\u0026\"\r\n\"name=%s\"\r\n\"Content-Disposition: form-data; name=\"upload_file\"; filename=\"%s\"\"\r\n\"DeleteKey\"\r\n\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)\"\r\n\"soft=%u\u0026version=%u\u0026user=%08x%08x%08x%08x\u0026server=%u\u0026id=%u\u0026crc=%x\"\r\n\"\u0026uptime=%u\"\r\n\"CreateProcessA\"\r\n\".avi\"\r\n\"Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\r\n\"rundll32 \"%s\",%S\"\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy\r\nPage 5 of 10\n\n\"\u0026ip=%s\"\r\n\"\u0026os=%s\"\r\n\"\u0026tor=1\"\r\n\"\u0026dns=%s\"\r\n\"\u0026whoami=%s\"\r\n\"/C \"copy \"%s\" \"%s\" /y \u0026\u0026 rundll32 \"%s\",%S\"\"\r\n\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\"\r\n\"WScript.Shell\"\r\n\");%S.Run(\"\r\n\"powershell iex ([System.Text.Encoding]::ASCII.GetString((\"\r\n\"IE8RunOnceLastShown_TIMESTAMP\"\r\n\"SOFTWARE\\Microsoft\\Internet Explorer\\\"\r\n…\r\nCollecting Sensitive Information and Sending It to the C2 Server \r\nIn the core module, Ursnif collects sensitive information from the victim’s device, such as current login Username,\r\nComputer Name, System Uptime, and so on. These are formatted as in the first packets sent to the C2 server. Figure 5.1\r\nshows the ASM code snippet used to obtain Username and Computer Name.\r\nFigure 5.1. Calling APIs to obtain Username and Computer Name\r\nIt formats all of the collected data into key=value pairs, like the string shown in the memory section of Figure 5.2.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy\r\nPage 6 of 10\n\nFigure 5.2. Collected data in a formatted string\r\nAmong the key-value pairs, the values of “soft”, “version”, and “crc” are hardcoded. The values of “user”, “server”, and\r\n“id” are hash values. “uptime” is a time value of how long the device has been running. “dns” is the computer name, and\r\n“whoami” is the full user name.    \r\nNext, Ursnif encrypts the string and encodes the cipher text with base64. Finally, it transforms the base64 string by replacing\r\nspecified bytes and randomly inserting “/”. An example looks like this:\r\nkGmre5fgzV/jtkp5rBSbtChvz3cy/avjHTlxQBzmZ/DH4YpgdvFWT/3ZOkljxvOGl5sK/DKS8qy7zKWSwKdmWKVkNW/3iLRdsyjEatQ2kbQ/97eIek93\r\nTCOCQKSzO32C/EUgtTKuNa/PDAfPobZLDuYwMNjMJqk/BCloHCcWrST2Oq7lSc7/bX0t3dF5oQwhDoo8O83JoQ/KNQw3uRXGoOK3/bvb2q8\r\nPoIH_2/F\r\nIt then adds a prefix string (the domain of the C2 server and “/images/”) and suffix string (“.avi”) before sending the\r\ninformation to the server.\r\nUrsnif does not directly send the data within the process. Instead, it uses a COM component—“IE ActiveX Interface”—that\r\nis implemented in the module “IEProxy.dll”. Ursnif indirectly calls APIs from this module to perform communication with\r\nC2 server. This means the collected data will be sent by a newly created “iexplorer.exe” process that is started by the COM\r\ncomponent. Figure 5.3 provides the detailed overview processes tree, from which you can not only observe the process\r\n“iexplorer.exe”, but also the relationship between the processes mentioned in this blog, such as “WinWord.exe” and\r\n“RegSvr32.exe”.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy\r\nPage 7 of 10\n\nFigure 5.3. Process Tree of calling a COM component\r\nFigure 5.4. Decrypted C2 server domain string\r\nThe domain string of the C2 server comes from a secret data structure that is decrypted from a data block within the “.reloc”\r\nsection. \r\nIn Figure 5.4, at the bottom of the memory segment, we can see the decrypted secret data structure. The string starting at\r\noffset 0xB0 are the domains: “web[.]vortex[.]data[.]Microsoft[.]com”, “ocsp[.]sca1b[.]amazontrust[.]com”, and\r\n“gstatistics[.]co”. Through my analysis, only the last one is the real C2 server domain.\r\nFigure 5.5 shows what the final packet sent to the C2 server looks like. \r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy\r\nPage 8 of 10\n\nFigure 5.5. Packet sent to the C2 server\r\nIn the next stage, the malware would respond to the received packet with a module (dll, exe, etc.) which would be executed\r\nby Ursnif to perform further malicious attacks on victim’s device. Unfortunately, we did not receive any response because\r\nthe C2 server had been shut down. I will continue to try and contact the C2 server. If I am finally able to obtain the module\r\nfile, I will post my analysis of it as well.\r\nFortinet Solution Coverage:\r\nThe Word document attached to the phishing email has been detected as “VBA/Ursinf.3412!tr” and the downloaded file has\r\nbeen detected as “W32/Ursinf.KB!tr” by the FortiGuard AntiVirus service. \r\nThe URL used to download Ursnif (DLL file) has been rated as “Malicious Websites” by the FortiGuard WebFilter service.\r\nThe CDR (Content Disarm \u0026 Reconstruction) feature can also neutralize this threat by removing all malicious Macro code.\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient and FortiEDR. And the CDR feature is\r\nsupported by FortiGate and FortiMail.\r\nWe also suggest our readers to go through the free NSE training -- NSE 1 – Information Security Awareness, which has a\r\nmodule on Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nIoCs:\r\nURLs:\r\n\"hxxp://longline[.]cyou/p1cture3[.]jpg \"\r\n“hxxps://gstatistics[.]co/”\r\nSample SHA256:\r\nresiduo_8205843.doc:\r\nE9732CDCA1B2503E02E8FEA9A4C68EDA940E10890E1C5ABE2CEB2290FE39C3DB\r\nDownloaded DLL file (px.dat or p1cture3.jpg):\r\n90D8648B2AAC0C837286A4C042F02064CFBB12F45B3DC6B00B2BECCC7FC35422\r\nLearn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio.  \r\nLearn more about Fortinet’s free cybersecurity training initiative or about the Fortinet NSE Training program, Security\r\nAcademy program, and Veterans program.\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy\r\nPage 9 of 10\n\nSource: https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy\r\nhttps://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy"
	],
	"report_names": [
		"new-variant-of-ursnif-continuously-targeting-italy"
	],
	"threat_actors": [],
	"ts_created_at": 1775434557,
	"ts_updated_at": 1775791323,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ca9c17a99b2744457059bd9d5569445fbc91f36a.pdf",
		"text": "https://archive.orkl.eu/ca9c17a99b2744457059bd9d5569445fbc91f36a.txt",
		"img": "https://archive.orkl.eu/ca9c17a99b2744457059bd9d5569445fbc91f36a.jpg"
	}
}