{"id":3024,"date":"2024-09-25T21:00:54","date_gmt":"2024-09-25T21:00:54","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=3024"},"modified":"2025-07-29T06:59:04","modified_gmt":"2025-07-29T06:59:04","slug":"ursnif-the-mr-worldwide-of-banking-trojans","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/ursnif-the-mr-worldwide-of-banking-trojans\/","title":{"rendered":"Ursnif \u2013 the \u2018Mr Worldwide\u2019 of banking trojans"},"content":{"rendered":"
\n
\"the<\/figure>\n<\/div>\n\n\n

Overview<\/strong>

Since its discovery in 2007, the Ursnif banking trojan has made a name for itself as one of the most widely used banking malware variants (second only to Zeus). It is known for stealing bank account details, credit card data, and, in recent years, various other login credentials. Ursnif, which is also known as \u2018Gozi\u2019, can spread via infected USB flash drives, though its most recent campaigns have relied on more traditional malspam techniques.\u00a0

In one such campaign, our researchers discovered Ursnif hidden in a malicious .zip file attachment. The phishing email\u2019s subject line was \u201cAA Insurance Invoice\u201d and the attachment was embedded with a .LNK file which acted as a downloader for actual malware. All these details are available in the IOC \u00a0section further below.\u00a0

Additionally, recent threat intelligence evidence suggests some Ursnif campaigns are employing FastFlux<\/a> techniques in order to evade detection. This technique involves using an ever-changing network of compromised machines to act as proxy servers. By rapidly swapping the CnC IP address, rules-based detection technologies may struggle to keep up with the update cycle. The below screenshot shows the multiple IP addresses believed to be associated with the Fast Flux technique:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1<\/em>

Ursnif is a global malware in the truest sense of the word. Recent campaigns have targeted Japanese<\/a> and Australian<\/a> users, though it has been used extensively in the past to target European and US victims. Its C&C servers are similarly widespread. Below, we see the location of its servers in the US, South America, Northern Africa, the Middle East and throughout Europe. It is also known to have servers in South East Asia.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2<\/em>

Static Analysis:<\/strong>

File type: PE (Exe file)

Hash (SHA-256): 3c7aa81d3bb71a7dce4cb2cad5c04e511a7210dcb435e03b118f6e7774822718

Size: 563712 bytes

File description: Vertex Cleaning Agency

AV detection:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 3\u00a0Latest detection for this sample<\/em>

We first tested to see how successful AV vendors were in detecting this sample. While it was picked up by most vendors, it was not identified as Ursnif which would suggest the detections are based on heuristic signatures.<\/p>\n\n\n\n

File Properties and DLL dependencies:<\/strong>

The sample our researchers discovered is a 32 bit PE .exe file called \u201cvertex cleaning agency\u201d. After reviewing the import DLLs, we spotted features including anti-debug and blacklist APIs. The below snapshot gives more information on PE file type and import DLL details:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 4\u00a0File properties and dll dependencies<\/em>

The above snapshot shows that only two DLLs are found in the import table \u2013 Version.dll and Kernel32.dll. We\u2019ve extrapolated further functionality below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 5\u00a0Blacklisted and Anti-debug API<\/em>

IsDebuggerPresent, and GetTickCount are obviously anti-debug APIs which are widely used to evade detection.<\/p>\n\n\n\n

Behavioural and code analysis:<\/strong>

Our researchers analysed this malware in a controlled environment to observe its behaviour. After execution, it contacts the following Italian URL:

hxxp:\/\/mondomusicatania(.)it<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 6\u00a0Details of the URL contacted<\/em>\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 7\u00a0AV detection for the contacted URL<\/em>

Multiple anti-malware solutions flagged this website.\u00a0

After executing the original file, it creates a duplicate file in a folder inside %appdata% as follows:<\/p>\n\n\n\n

%appdata%\\Microsoft\\Capemesh\\batmvmgr.exe<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

The same file is then linked with the autostart registry entry in order to maintain persistence:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 8\u00a0Run entry created for maintaining persistence<\/em>

Ursnif then made entries related to address book and internet account managers, as follows:<\/p>\n\n\n\n

HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager
HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts
HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts\\Active Directory GC
HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts\\Bigfoot
HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts\\VeriSign
HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts\\WhoWhere
HKEY_CURRENT_USER\\Software\\Microsoft\\WAB
HKEY_CURRENT_USER\\Software\\Microsoft\\WAB\\WAB4
HKEY_CURRENT_USER\\Software\\Microsoft\\WAB\\WAB4\\Wab File Name <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Finally, a WAB file is created in the location: Microsoft\\AddressBook\\(username).wab

IOC details:<\/strong>

Hash:<\/strong> 3c7aa81d3bb71a7dce4cb2cad5c04e511a7210dcb435e03b118f6e7774822718

Malicious URL contacted:<\/strong> hxxp:\/\/mondomusicatania(.)it

Malicious IP address<\/strong>: 62.149.142(.)52

Registry entry: <\/strong>

Key:<\/strong> \u201cHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u201d 

Value<\/strong>: “comssapi”

Data or Physical location:<\/strong> \u201c%Appdata%\\Microsoft\\Capemesh\\batmvmgr.exe

Infection URL:<\/strong>  hxxp:\/\/nth-gen.co.uk\/AA%20Insurance%20Invoice.zip

Infection URL Domain:<\/strong> nth-gen[.]co[.]uk

Infection URL IP:<\/strong> 46.249.205.43

IOC for Insurance Campaign Malicious File (mentioned in introduction):<\/strong>

File name:<\/strong> AA Insurance Invoice.zip

MD5:<\/strong> b85fddb1c4b9035138cd30d31c180faf

SHA256:<\/strong> ed4007797c15d89bca7fe4ad0411807fb1d075917f01f410f8a78648bf1a04f9

Conclusion<\/strong>

By using the above IOCs, in particularl blacklisting the malicious URL and IP addresses, organisations can limit their exposure to the latest Ursnif campaign. While we\u2019ve seen no evidence in this campaign of the use of infected USB devices, its authors have been known to use this tactic in the past. As such administrators need to a keep strict policy on the usage of unauthorised USB and storage devices inside the network (this should be a no-brainer, but it never hurts to double check). 

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Overview Since its discovery in 2007, the Ursnif banking trojan has made a name for itself as one of the most widely used banking malware variants (second only to Zeus). It is known for stealing bank account details, credit card data, and, in recent years, various other login credentials. Ursnif, which is also known as […]<\/p>\n","protected":false},"author":1,"featured_media":3041,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-3024","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/3024","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=3024"}],"version-history":[{"count":5,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/3024\/revisions"}],"predecessor-version":[{"id":4354,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/3024\/revisions\/4354"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/3041"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=3024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=3024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=3024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}