URSNIF is an information stealing malware with a wide range of malicious abilities. The threat first attracted notice in 2007 while delivering the Gozi trojan via infected PDF email attachments. URSNIF made a resurgence in 2016 and 2017, becoming the most active malware to hit the financial sector. Initially aimed at financial institutions in English-speaking nations, URSNIF spread to Japan and Eastern Europe after its code was leaked in 2010.
URSNIF primarily targets banks but has been used to steal user credentials for email, private cloud access, e-commerce sites, and cryptocurrency trading. The malware still relies on phishing emails with infected attachments to deliver its payload. Memory analysis suggests URSNIF can infect USB storage devices.
Cylance Threat Research recently analyzed URSNIF to identify changes in the newest variant. One early discovery was an update to the OS requirement. Classic URSNIF could execute on Windows XP. Our sample requires Windows 7 (32-bit) or newer. Another difference involves URSNIF checking for C:\%filename%.txt. If found, further checks for a virtual environment are ignored.
To achieve persistence on a system, the malware creates two registry keys. It employs API hooks which allow it to collect email credentials, webcam footage, image files, audio files, and screen captures. Our test version of the malware also monitored browsers by hooking the following files:
BROWSER HOOKED FILES
Google Chrome WS2_32.DLL, KERNEL32.DLL and CHROME.DLL
Mozilla Firefox NSS3.DLL and NSPR4.DLL
Microsoft Internet Explorer WININET.DLL
(Code references also indicate that URSNIF can hook into Opera.exe)
URSNIF checks for an Internet connection using nslookup. It also spawns a sub-process which creates a batch file capable of checking for secondary malware. If the system is connected to the Internet, the malware injects code into explorer.exe which contacts the C2 server. The injected file can use a domain name generator algorithm (DGA) to create a list of malicious domains. While the malware contains code to use the open-top-domains algorithm our sample relied on using hardcoded network indicators.
URSNIF attempts to download additional stages of the malware and store them in the %temp% directory. If successful, the batch file created at the beginning of the infection process will delete the original malware file. If not successful, the temp file(s) are deleted.
Further details on how URSNIF operates and Indicators of Compromise (IOCs) can be found in our Threat Spotlight report.
As previously noted, URSNIF can collect email credentials, webcam footage, image files, audio files, and screen captures. It is the most active malware in the financial sector for two years running. The malware can steal user credentials, bank account information, and credit card numbers. With industry estimates putting the cost-per-stolen-record at $141USD, URSNIF poses a threat no company can afford to ignore.
Customers of CylancePROTECT® are protected from URSNIF, both new and old. While the malware has deployed new methods over the past decade, it has not learned to evade the artificial intelligence-driven prevention of CylancePROTECT.