{"id":2110,"date":"2024-09-25T11:35:49","date_gmt":"2024-09-25T11:35:49","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2110"},"modified":"2025-07-29T03:20:05","modified_gmt":"2025-07-29T03:20:05","slug":"analysis-of-isfb-campaign","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-isfb-campaign\/","title":{"rendered":"Analysis of ISFB Campaign"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

Introduction<\/strong><\/h2>\n\n\n\n

ISFB (URSnif, also known as Gozi), is one of the most widely spread banking trojans \u2013 it is aimed to steal the banking credentials and commonly targeting the corporate users. The malware was among the Top 10 malicious strains to infect the healthcare industry. ISFB\/Ursnif has undergone several development iterations since its source code was leaked in 2015\/16.<\/p>\n\n\n\n

Other Names:<\/strong> RM3, Ursnif, Dreambot, CRM, and Snifula, Gozi can be considered as a group of malware families which are based on the same malicious codebase. Historically, it has been known as one of the most widely spread and longest-standing Banking Trojans with more than 14 years of malicious activity.<\/p>\n\n\n\n

Target:<\/strong> Financial Institutions, Stock Exchanges, and Healthcare Industry.<\/p>\n\n\n\n

Infection Chain:<\/strong><\/h3>\n\n\n\n
\"\"<\/figure>\n\n\n\n

In our current example, ISFB threat actor attacks the victim machine by initial infection vector of spam campaign with attachment (EML). It contains a Microsoft Office document (MS Excel) document with VBA macro enabled content. The threat actor has tricks the user to enable the macros to perform their action. Once the user enables the content, the malware will connect with its C2 server to perform the defined actions for an objective.<\/p>\n\n\n\n

Sample Information<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Phishing Email Content<\/strong>s<\/p>\n\n\n\n

Sample 1: <\/strong>Campaign: ISFB or Gozi  | Category: Banking Trojan<\/p>\n\n\n\n

This time, the malware author sent many EML phishing content with same attachment file.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Sample 2:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Technical Analysis of XLSM attachment:
<\/strong>XLSM: b527de9bd7fb3abab3fc4b0cd95c46ebe2524b660cb6a970042272ae07a2689e<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

File Metadata \/ Properties:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Why are malware authors still using .XLSM infection?<\/strong><\/p>\n\n\n\n

XLSM files are spreadsheet files that support macros. A macro is a set of instructions that performs a record of steps repeatedly. XLSM files are based upon Open XLM formats that were introduced in Microsoft Office 2007. The malware authors are inserting the malicious VBA macros in the e-mail attachment files. Most of the time, macros will be in protected mode preventing regular users from viewing the code in clear text. In this sample as well, the VBA macro codes are protected mode with passcodes.<\/p>\n\n\n\n

Enable-Editing<\/strong>:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Enabled Content:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once executed, the following actions will be performed by Gozi \/ URSnif malware;<\/strong><\/p>\n\n\n\n

    \n
  • Once the user opens the attached document and enables a malicious macro which will trigger the download of a dynamic link library from a remote server.<\/li>\n\n\n\n
  • The downloaded .DLL file will be executed via RegSvr32.exe and unpack the core Gozi loader into memory, which is designed to manage all the interactions with the infected machine. (For Example: It checks the download\/launch additional modules, and system update configuration)<\/li>\n\n\n\n
  • Gozi uses Internet Explorer (IE) COM objects to communicate with its C&C server and it creates a running instance through the CoCreateInstance() API.<\/li>\n\n\n\n
  • Mainly it checks for the few conditions to satisfy:
    (a) The IP address must be located in Italy; and not be blacklisted (geofencing),
    (b) The DLL must not have already been downloaded to create new infection.<\/li>\n<\/ul>\n\n\n\n

    Based on the sample observed, we found the following API calls,<\/strong><\/p>\n\n\n\n

    Windows native API calls that give us an idea of the malware\u2019s capability, described in the attack sequence,<\/p>\n\n\n\n

    \u2022             EnableMouseInPointer<\/p>\n\n\n\n

    \u2022             TrackMouseEvent<\/p>\n\n\n\n

    \u2022             GetsystemWindowsDirectory<\/p>\n\n\n\n

    \u2022             GetSystemAsFileTime<\/p>\n\n\n\n

    \u2022             GetVersion<\/p>\n\n\n\n

    \u2022             GetUILanguageInfo<\/p>\n\n\n\n

    \u2022             GetProcAddress<\/p>\n\n\n\n

    \u2022             CreateRemoteThread<\/p>\n\n\n\n

    \u2022             NtUserRemoteConnect<\/p>\n\n\n\n

    ISFB Trojan Attack Sequence:<\/strong><\/h3>\n\n\n\n

    1. Arrives as an office document attachment
    2. User tricked into opening document and executed malicious macro
    3. Users download malicious DLL
    4. Malicious DLL is executed
    5. Malware steals user data and credentials from browser
    6. Victim\u2018s computer connects to the remote C2 server
    7. Remote C2 server is executing backdoor commands on the victim\u2019s computer<\/p>\n\n\n\n

    Initial – Indicator of Compromise [IOC]:<\/strong><\/h3>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    Virus Total Results:<\/strong><\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Functionalities of ISFB:<\/strong><\/h3>\n\n\n\n
      \n
    • In general, it will be acting as info-stealer by collecting system activities and data (including network and browser data).<\/li>\n\n\n\n
    • Recording keystrokes (keylogging).<\/li>\n\n\n\n
    • Recording the videos or else making screenshots.<\/li>\n\n\n\n
    • Performing Man-in-the-browser [MiTB] attacks on the targeted websites. Usually, it’s used to intercept and\/or modify data as it is being sent between a browser and a web server. (e.g., Form-grabbing, Web-injects).<\/li>\n\n\n\n
    • Redirect browser navigation to malicious websites.<\/li>\n\n\n\n
    • Enabling hVNC (hidden-VNC) and SOCKS proxy.<\/li>\n<\/ul>\n\n\n\n

      IOC – Indicators of Compromise for detecting ISFB \/ GOZI \/ URSNIF<\/strong><\/strong><\/h3>\n\n\n\n

      Hashes<\/strong><\/p>\n\n\n\n

      1056EA3DAD265DD554362BC0BD67F08FA2B9F3E5839E6E4FB197831A15C8ACEF<\/p>\n\n\n\n

      C0E28D4E88C59688657C839C344E6C1289002EF0BA461EBBF3CD4B75949312E9<\/p>\n\n\n\n

      5A8F5497F864BEAC188B72F77B22E1CBC1ECBB476E53C14403BD5A69515A2670<\/p>\n\n\n\n

      EB0A49F46CB50FED3FF0C1EA5062F94E6BAAF367775500AF122CD48AA7B4C1EA<\/p>\n\n\n\n

      06463378AE58AC721A6129CA3E85E743CD65ADB9E636ED95FB2C3215C2C9C754<\/p>\n\n\n\n

      3087A86F6A90A4F8F485023CB848815BA473E607CCB96B180839CDDE847566D8<\/p>\n\n\n\n

      ED0C5F836B3B54EEFAFCB1CC05571C27D294C50FBA036E50E030A5189735F6DD<\/p>\n\n\n\n

      9F3AFEF4B3A589C4685F39D887725A664EC0FE78091069550402365E589F9D22<\/p>\n\n\n\n

      E61BEE46B1B943412D7C2342EA1FA52635606105A8EC4F2341AE66ACC2121671<\/p>\n\n\n\n

      74F057A1B3EBD62B8A352F709716C4EAC4DF8503A3D7AACE8F46EA6AA998B02B<\/p>\n\n\n\n

      2231EA447F6F794FAE6A54479627112EBBA77DD276402F628FBE8B2BA4EC372F<\/p>\n\n\n\n

      53619FE192047617262D8BFD02DF432156AD01896129785240E20339A0FBCD7A<\/p>\n\n\n\n

      EEC4B7ACBF2659D738179784ABEE9009268AB135B90A19EC326CA3D4359DD014<\/p>\n\n\n\n

      E673EED04BF609E9FE34D7129DB5F8DF5FAF941CC741C9FBCDA12DF828DCAEB0<\/p>\n\n\n\n

      BD9EB71BAA0D28BFF80CBFA742346AA8F6D08AC463CE85BD97B9842AA6A2BBCB<\/p>\n\n\n\n

      A650279899A57CBF1E21D1E481BB02E10715DF746F987999A67253AE8390C4D5<\/p>\n\n\n\n

      B1DFE684B1F75E3B5AE544C82BAA9183A1F7E886CF68FF16D21FD030482AF1A2<\/p>\n\n\n\n

      DE51BAE08FD7318C988EF54511B5C08D8C3D9BBB2FC03D76D97116A79AFB9E81<\/p>\n\n\n\n

      104E6094EF239AAE7E4317433E868B67108B8157627DC222F996CB087795334F<\/p>\n\n\n\n

      IP Address<\/strong><\/p>\n\n\n\n

      172(.)67(.)149(.)13<\/p>\n\n\n\n

      93(.)94(.)199(.)139<\/p>\n\n\n\n

      62(.)173(.)154(.)224<\/p>\n\n\n\n

      190(.)147(.)189(.)122<\/p>\n\n\n\n

      141(.)8(.)193(.)236<\/p>\n\n\n\n

      5(.)62(.)38(.)208<\/p>\n\n\n\n

      54(.)177(.)212(.)176<\/p>\n\n\n\n

      54(.)38(.)220(.)85<\/p>\n\n\n\n

      64(.)70(.)19(.)203<\/p>\n\n\n\n

      5(.)79(.)79(.)212<\/p>\n\n\n\n

      84(.)200(.)110(.)123<\/p>\n\n\n\n

      141(.)94(.)176(.)124<\/p>\n\n\n\n

      51(.)89(.)115(.)213<\/p>\n\n\n\n

      185(.)53(.)178(.)7<\/p>\n\n\n\n

      185(.)240(.)103(.)83<\/p>\n\n\n\n

      217(.)12(.)199(.)168<\/p>\n\n\n\n

      31(.)41(.)44(.)27<\/p>\n\n\n\n

      162(.)255(.)119(.)93<\/p>\n\n\n\n

      192(.)64(.)119(.)244<\/p>\n\n\n\n

      178(.)210(.)89(.)119<\/p>\n\n\n\n

      Domains<\/strong><\/p>\n\n\n\n

      avkit(.)org<\/p>\n\n\n\n

      rgyui(.)top<\/p>\n\n\n\n

      missrevolt(.)top<\/p>\n\n\n\n

      dominikania(.)com<\/p>\n\n\n\n

      citisec-online(.)co<\/p>\n\n\n\n

      simple(.)oceanwp(.)org<\/p>\n\n\n\n

      apkfab(.)com<\/p>\n\n\n\n

      js(.)boardurl(.)de<\/p>\n\n\n\n

      s(.)0cf(.)io<\/p>\n\n\n\n

      mtmx(.)jp<\/p>\n\n\n\n

      lh3(.)androidcontents(.)com<\/p>\n\n\n\n

      americafirstcommittee(.)org<\/p>\n\n\n\n

      filecr(.)com<\/p>\n\n\n\n

      cdn-redirector(.)glopal(.)com<\/p>\n\n\n\n

      profeducations(.)com<\/p>\n\n\n\n

      html(.)design<\/p>\n\n\n\n

      www(.)ekko-wp(.)com<\/p>\n\n\n\n

      presets(.)kingcomposer(.)com<\/p>\n\n\n\n

      autroliner(.)com<\/p>\n\n\n\n

      track(.)gowithads(.)com<\/p>\n\n\n\n

      ws(.)fakemailgenerator(.)com<\/p>\n\n\n\n

       <\/p>\n\n\n\n

      MITRE ATT&CK Mapping to ISFB \/ URSNIF Threat<\/strong><\/h3>\n\n\n\n
      Domain<\/strong><\/td>ID<\/strong><\/td>Name<\/strong><\/td>Use<\/strong><\/td> <\/td><\/tr>
      Enterprise<\/td>T1071<\/td>0.001<\/td>Application Layer Protocol: Web Protocols<\/td>Ursnif has used HTTPS for C2.<\/td><\/tr>
      Enterprise<\/td>T1547<\/td>0.001<\/td>Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/td>Ursnif has used Registry Run keys to establish automatic execution at system startup.<\/td><\/tr>
      Enterprise<\/td>T1185<\/td> <\/td>Browser Session Hijacking<\/td>Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords). <\/td><\/tr>
      Enterprise<\/td>T1059<\/td>0.001<\/td>Command and Scripting Interpreter: PowerShell<\/td>Ursnif droppers have used PowerShell in download cradles to download and execute the malware’s full executable payload.<\/td><\/tr>
       <\/td> <\/td>0.005<\/td>Command and Scripting Interpreter: Visual Basic<\/td>Ursnif droppers have used VBA macros to download and execute the malware’s full executable payload.<\/td><\/tr>
      Enterprise<\/td>T1543<\/td>0.003<\/td>Create or Modify System Process: Windows Service<\/td>Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.<\/td><\/tr>
      Enterprise<\/td>T1132<\/td> <\/td>Data Encoding<\/td>Ursnif has used encoded data in HTTP URLs for C2. <\/td><\/tr>
      Enterprise<\/td>T1005<\/td> <\/td>Data from Local System<\/td>Ursnif has collected files from victim machines, including certificates and cookies. <\/td><\/tr>
      Enterprise<\/td>T1074<\/td>0.001<\/td>Data Staged: Local Data Staging<\/td>Ursnif has used tmp files to stage gathered information.<\/td><\/tr>
      Enterprise<\/td>T1140<\/td> <\/td>Deobfuscate\/Decode Files or Information<\/td>Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk. <\/td><\/tr>
      Enterprise<\/td>T1568<\/td>0.002<\/td>Dynamic Resolution: Domain Generation Algorithms<\/td>Ursnif has used a DGA to generate domain names for C2.<\/td><\/tr>
      Enterprise<\/td>T1041<\/td> <\/td>Exfiltration Over C2 Channel<\/td>Ursnif has used HTTP POSTs to exfil gathered information. <\/td><\/tr>
      Enterprise<\/td>T1564<\/td>0.003<\/td>Hide Artifacts: Hidden Window<\/td>Ursnif droppers have used COM properties to execute malware in hidden windows.<\/td><\/tr>
      Enterprise<\/td>T1070<\/td>0.004<\/td>Indicator Removal on Host: File Deletion<\/td>Ursnif has deleted data staged in tmp files after exfiltration.<\/td><\/tr>
      Enterprise<\/td>T1105<\/td> <\/td>Ingress Tool Transfer<\/td>Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads. <\/td><\/tr>
      Enterprise<\/td>T1056<\/td>0.004<\/td>Input Capture: Credential API Hooking<\/td>Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.<\/td><\/tr>
      Enterprise<\/td>T1559<\/td>0.001<\/td>Inter-Process Communication: Component Object Model<\/td>Ursnif droppers have used COM objects to execute the malware’s full executable payload.<\/td><\/tr>
      Enterprise<\/td>T1036<\/td>0.005<\/td>Masquerading: Match Legitimate Name or Location<\/td>Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.<\/td><\/tr>
      Enterprise<\/td>T1112<\/td> <\/td>Modify Registry<\/td>Ursnif has used Registry modifications as part of its installation routine. <\/td><\/tr>
      Enterprise<\/td>T1106<\/td> <\/td>Native API<\/td>Ursnif has used CreateProcessW to create child processes. <\/td><\/tr>
      Enterprise<\/td>T1027<\/td> <\/td>Obfuscated Files (OR) Information<\/td>Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.[2] Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands. <\/td><\/tr>
      Enterprise<\/td>T1057<\/td> <\/td>Process Discovery<\/td>Ursnif has gathered information about running processes. <\/td><\/tr>
      Enterprise<\/td>T1055<\/td>0.005<\/td>Process Injection: Thread Local Storage<\/td>Ursnif has injected code into target processes via thread local storage callbacks.<\/td><\/tr>
       <\/td> <\/td>0.012<\/td>Process Injection: Process Hollowing<\/td>Ursnif has used process hollowing to inject into child processes.<\/td><\/tr>
      Enterprise<\/td>T1090<\/td> <\/td>Proxy<\/td>Ursnif has used a peer-to-peer (P2P) network for C2. <\/td><\/tr>
       <\/td> <\/td>0.003<\/td>Multi-hop Proxy<\/td>Ursnif has used Tor for C2.<\/td><\/tr>
      Enterprise<\/td>T1012<\/td> <\/td>Query Registry<\/td>Ursnif has used Reg to query the Registry for installed programs. <\/td><\/tr>
      Enterprise<\/td>T1091<\/td> <\/td>Replication Through Removable Media<\/td>Ursnif has copied itself to and infected removable drives for propagation. <\/td><\/tr>
      Enterprise<\/td>T1113<\/td> <\/td>Screen Capture<\/td>Ursnif has used hooked APIs to take screenshots. <\/td><\/tr>
      Enterprise<\/td>T1082<\/td> <\/td>System Information Discovery<\/td>Ursnif has used Systeminfo to gather system information. <\/td><\/tr>
      Enterprise<\/td>T1007<\/td> <\/td>System Service Discovery<\/td>Ursnif has gathered information about running services. <\/td><\/tr>
      Enterprise<\/td>T1080<\/td> <\/td>Taint Shared Content<\/td>Ursnif has copied itself to and infected files in network drives for propagation. <\/td><\/tr>
      Enterprise<\/td>T1497<\/td>0.003<\/td>Virtualization\/Sandbox Evasion: Time Based Evasion<\/td>Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.<\/td><\/tr>
      Enterprise<\/td>T1047<\/td> <\/td>Windows Management Instrumentation<\/td>Ursnif droppers have used WMI classes to execute PowerShell commands. <\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

      Introduction ISFB (URSnif, also known as Gozi), is one of the most widely spread banking trojans – it is aimed to steal the banking credentials and commonly targeting the corporate users. The malware was among the Top 10 malicious strains to infect the healthcare industry. ISFB\/Ursnif has undergone several development iterations since its source code […]<\/p>\n","protected":false},"author":1,"featured_media":2111,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2110","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2110"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2110\/revisions"}],"predecessor-version":[{"id":4205,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2110\/revisions\/4205"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2111"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}