Ursnif (a.k.a. Gozi), a former banking trojan, has been repurposed as a generic backdoor. Threat actors could use the new variant to distribute ransomware. Ursnif (a.k.a. Gozi), a former banking trojan, has been repurposed as a generic backdoor. Threat actors could use the new variant to distribute ransomware.
The threat actors behind Ursnif make fake job proposals in emails to carry out the operations, which is their usual scheme. In a previous campaign, the gang impersonated Michael Page’s consultants. They offered executive positions to lure victims and deployed their infostealer malware.
Upon visiting the malicious site, users are requested to complete a Captcha quiz to download an Excel document. A macro code in the Excel document is used to retrieve the malware payload named loader[.]dll from a remote resource. The DLL is signed with legitimate certificates to prevent detection and is packed by portable executable crypters.
After execution, the new malware gathers system service information from the Windows registry and generates a user and a system ID.
An RSA key found in the configuration file is then used to establish a connection with the command and control (C2) server. After that, it tries to get a list of commands to run on the host.
The malware supports the following commands:
| Command ID | Command Name | Description |
| 0xf880e2be | LOAD_DLL | Load a DLL module into the current process |
| 0xfee861f1 | SHELL_STATE | Retrieve the state of the cmd[.]exe reverse shell |
| 0xc202e685 | SHELL_START | Start the cmd[.]exe reverse shell |
| 0xa5946e4a | SHELL_STOP | Stop the cmd[.]exe reverse shell |
| 0xa04d6355 | SHELL_RESTART | Restart the cmd[.]exe reverse shell |
| 0x5d2295b5 | RUN_COMMAND | Run an arbitrary command |
| 0x5d639645 | EXIT | Terminate |
Ursnif IoCs
Any updates to IoCs can be found on Mandiant’s blog.
Malware sample hashes:
- 360417f75090c962adb8021dbb478f67 [VT]
- 3e0f28bcaf35af2802f45b58f49481be
- 590d96a7be55240ad868ebec78ce38f2
- 8c658b9b02814927124351484c42a272 [VT]
- 9f68d1a4b33e3ace6215040dc9fc73e8 [VT]
- b4610d340a9bff58616543b10e961cd3
- baa784967fd0558715f4011a72eb872e [VT]
- bd4a92d4577ddedeb462a71cdf2fa934
- bea60bab50d47f239132890a343ae84c [VT]
- d38f6f01bb926df07d34de0649f608f6 [VT]
- d6ef4778f7dc9c31a0a2a989ef42d2fd [VT]
- d94657449f8d8c165ef88fd93e463134 [VT]
- eee617806c18710e8635615de6297834 [VT]
- f4b0a6ab164f7c58cccce651606caede [VT]
Malware sample hashes (unpacked):
- 00b981b4d3f47bcbd32dfa37f3b947e5 [VT]
- 09bc2a1aefbafd3e7577bc3c352c82ad [VT]
- 1b0ec09ca4cb7dcf5d59cea53e1b9c93
- 3c5f002b46ef11700caca540dcc7c519
- 498d5e8551802e02fe4fa6cd0425c608
- 58169007c2e7a0d022bc383f9b9476fe [VT]
- 7808d22a4343b2617ceef63fd0d43651
- 7eea48e592c4bccbfa3929b1b35a7c0b
- 89b4dd18bea842fddd021aa74d109ec3
- a3539bc682f39406c050e5233058c930 [VT]
- ac39f1a22538f0211204037cce30431d
- c1989d25287cd9044b4d936e73962e35
- c7facfffad15a9c84239b495770183bb
- cde05576e7c48ca89d2f21c283a4a018 [VT]
Domains:
- astope[.]xyz
- binchfog[.]xyz
- damnater[.]com
- daydayvin[.]xyz
- dodsman[.]com
- dodstep[.]cyou
- fineg[.]xyz
- fingerpin[.]cyou
- fishenddog[.]xyz
- giantos[.]xyz
- gigeram[.]com
- gigiman[.]xyz
- gigimas[.]xyz
- higmon[.]cyou
- isteros[.]com
- kidup[.]xyz
- lionnik[.]xyz
- logotep[.]xyz
- mainwog[.]xyz
- mamount[.]cyou
- minotos[.]xyz
- pinki[.]cyou
- pipap[.]xyz
- prises[.]cyou
- reaso[.]xyz
- rorfog[.]com
- tornton[.]xyz
- vavilgo[.]xyz
IP addresses:
- 5[.]182.36.248 (CH) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 5[.]182.37.136 (RU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 5[.]182.38.43 (HU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 5[.]182.38.68 (HU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 5[.]252.23.238 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]8.147.179 (SE) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]8.147.215 (SE) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]67.34.75 (RO) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]67.34.172 (RO) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]67.34.245 (RO) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]67.229.39 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]89.54.122 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]89.54.152 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]95.11.62 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]140.146.241 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]142.212.87 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]150.67.4 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 77[.]75.230.62 (CZ) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 77[.]91.72.15 (HU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.100.71 (FI) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.100.209 (FI) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.106.8 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.106.16 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.107.13 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.107.132 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.107.252 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 141[.]98.169.6 (FI) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 185[.]250.148.35 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 188[.]119.112.104 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 193[.]38.54.157 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment