Ursnif

Malware updated a month ago (2024-10-17T12:05:09.564Z)
Download STIX
Preview STIX
Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for ransom. Ursnif was notably documented in an infection on December 19, 2019, during which Valak was identified as follow-up malware. The malware is often delivered through Word documents with macros and has been linked to other prevalent malware families such as Dridex and Emotet. TA551, active since at least November 2017, has historically pushed different families of information-stealing malware like Ursnif and Valak. This group exfiltrates data stolen from victim networks using post-exploitation tools, such as Cobalt Strike, and other malware forms. In one campaign, landing pages used resembled those discovered by Google Cloud's security team in a previous effort to spread a new variant of the URSNIF malware. TA547, another financially motivated threat actor, has conducted multiple campaigns delivering various Android and Windows malware, including Ursnif. The use of Ursnif has evolved over time. In 2017, SVG files were used to distribute this malware, and by 2022, these files were being used to smuggle .zip archives containing QakBot malware. Notably, Italian firms were targeted by TA544 threat actors using the Ursnif banking trojan. A WikiLoader campaign tricked users into installing Ursnif malware using a fake parcel delivery PDF, indicating a rise in PDF threats spreading malware like WikiLoader, Ursnif, and DarkGate. Furthermore, three documents used to deliver Ursnif, all containing the same image, were found in a database search from May 2021.
Description last updated: 2024-10-17T11:48:03.563Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Gozi is a possible alias for Ursnif. Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
6
Ta544 is a possible alias for Ursnif. TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, als
5
Gozi Isfb is a possible alias for Ursnif. Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims.
3
Dreambot is a possible alias for Ursnif. Dreambot, also known as Ursnif and Gozi ISFB, is a malicious software (malware) designed to steal passwords and credentials, primarily targeting the banking and financial sectors. It has been described by threat researchers as "frighteningly lucrative," compared to the already profitable cybercrime
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Windows
Exploit
Proofpoint
Beacon
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Wikiloader Malware is associated with Ursnif. WikiLoader, also known as WailingCrab, is a downloader malware first discovered in 2022 by Proofpoint and made public in 2023. This sophisticated malicious software is typically sold in underground marketplaces by an initial access broker (IAB) and is often spread through traditional phishing techniUnspecified
5
The Batloader Malware is associated with Ursnif. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personalUnspecified
2
The IcedID Malware is associated with Ursnif. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
2
The QakBot Malware is associated with Ursnif. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by dUnspecified
2
The Zloader Malware is associated with Ursnif. ZLoader is a form of malware, or malicious software, that is designed to exploit and damage computer systems. This harmful program can infiltrate a device through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal informUnspecified
2
The Dridex Malware is associated with Ursnif. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group taUnspecified
2
The Emotet Malware is associated with Ursnif. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The TA551 Threat Actor is associated with Ursnif. TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other maUnspecified
2
Source Document References
Information about the Ursnif Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
3 months ago
DARKReading
5 months ago
Securityaffairs
7 months ago
CERT-EU
8 months ago
BankInfoSecurity
8 months ago
CERT-EU
9 months ago
InfoSecurity-magazine
9 months ago
MITRE
a year ago
DARKReading
a year ago
CERT-EU
a year ago
DARKReading
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago