Ursnif Malware

• Researchers Uncovered C2 Infrastructure Used by Malware Ursnif (Cyber Security)
• Google Ads Push ‘Virtualized’ Malware Made for Antivirus Evasion (BleepingComputer)
• Ursnif Malware Switches from Bank Account Theft to Initial Access (BleepingComputer)
• Top 11 Maware Strains of 2021 — And How to Stop Them (BlackBerry Blog)

Ursnif’s first-stage tactics to gain initial access are similar to those of other malware strains, including email attachments, malicious websites, and trojanized applications. A recent successful Ursnif campaign involved a particularly crafty and notable technique: using stolen email credentials to inject spear-phishing replies into ongoing conversations. These injected messages direct recipients to open a malicious attachment that executes Ursnif’s second-stage payload.

Ursnif’s initial access payloads usually require the target to enable Microsoft Office macros, which allows a pre-compiled executable to be fetched from an attacker-controlled server and executed on the target’s system. The second-stage process begins with Ursnif stealing any user credentials it can find, connecting to a command-and-control (C2) server, and downloading and installing additional second-stage modules.

Recent versions of Ursnif attempt to evade detection using a technique called LOLBins (short for Living Off the Land Binaries) that leverages native Windows software tools (e.g., powershell.exe, mshta.exe) to achieve its goals rather than importing tools. To increase stealth, newer versions of Ursnif link to Google Drive URLs to avoid using blocked domain names or IP addresses that security products would recognize. Ursnif also uses password-protected ZIP files, ensuring its payload is encrypted as it enters the network to evade less sophisticated security products.

• Information gathering and credential harvesting from popular email, browsers, and FTP clients
• Surveilling and stealing user keystrokes, screenshots, and clipboard data
• Intercepting and modifying browser traffic by inserting extra code (i.e., web injects) into popular banking and crypto exchange websites to harvest credentials, including multi-factor authentication (MFA) tokens and to hi-jack user accounts
• Uploading and downloading files to and from a compromised system
• Establishing VNC remote desktop access using a SOCKS-based connection for surveillance and remote access
• Domain generation algorithms (DGA) dynamically creating domain names and using them as C2 to avoid identification and blocking

The most effective tactics for preventing a Ursnif attack are similar to those for defending against other strains of malware that use common first-stage attack vectors, such as phishing with trojanized Microsoft Office documents and stolen credentials.

• Enforce multi-factor authentication for all critical services—especially online banking and cryptocurrency accounts
• Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
• Recognize the increased risk that encrypted files present and verify the context of such documents thoroughly before opening them
• Install and configure endpoint security products that will scan encrypted documents immediately after they are unencrypted
• Implement Zero Trust solutions wherever possible, giving priority to critical systems 
• Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings