Bridewell’s Cyber Threat Intelligence (CTI) team has discovered previously undetected Ursnif infrastructure used in 2023 campaigns, suggesting that the malware operators have not yet utilized this highly elusive infrastructure.
Ursnif, originally a banking trojan also known as Gozi, has evolved into a ransomware and data exfiltration facilitator, with its latest variant, LDR4, being identified by Mandiant in June 2022, joining the ranks of malware like:-
In January 2023, a DFIR report highlighted a campaign involving the Urnsnif backdoor, followed by Cobalt Strike deployment and subsequent data exfiltration, with the added use of legitimate RMM tools Atera and Splashtop by the threat actor.
A phishing email was delivered to the Ursnif backdoor via a malicious ISO file. In March 2023, eSentire documented a Google Ads campaign using BatLoader to drop various second-stage payloads like Redline and Ursnif disguised as legitimate tools, followed by Cobalt Strike deployment for further intrusion activity in enterprise environments.
In the pursuit of new Ursnif IP addresses, researchers examined recently published ones. They discovered distinctive characteristics within the associated SSL certificates, leading to the identification of potential hunting opportunities for these addresses in the wild.
By leveraging identifiable features and additional criteria, experts successfully pinpointed 72 additional servers of interest that aligned with their newly developed Ursnif hunting rule, allowing them to determine the geographical hosting locations and hosting providers associated with these servers.
Here in the below image, all the Hosting Providers are mentioned:-
Security vendors have yet to report or detect six of the 23 Ursnif C2 servers communicating with Ursnif files, despite researchers’ analysis identifying their existence.
Here below, we have mentioned those 6 detected C2 servers:-
After analysis, it was found that approximately 30% of the infrastructure revealed communication with files detected as Ursnif, with an average detection rate of only 4.78 in Virus Total among the identified Ursnif C2s; moreover, around 71.3% of the IP addresses showed no communication with any files.
Ursnif, a backdoor employed by threat actors, poses a significant risk to organizations as it is a gateway to ransomware and data exfiltration.
At the same time, it is typically distributed through malicious documents like macro-enabled office files or malicious installers obtained through Google Ad campaigns.
Ursnif has evolved from a banking trojan to aiding ransomware attacks and can be tracked by CTI teams through its C2 infrastructure, enabling defenders to respond quickly and prevent ransomware intrusions.
Here below, we have mentioned all the mitigations recommended by the cybersecurity researchers:-
A directory traversal vulnerability (CVE-2024-23334) was identified in aiohttp versions before 3.9.2. This vulnerability allows…
Onur Aksoy, a forty-year-old resident of Florida and dual citizen of Turkey and the United…
Students aren’t alone in having their skills tested in K-12 schools. Education-sector IT teams face…
While injection vulnerabilities are on the rise, Webshells have become a serious concern. They allow…
Security researchers have uncovered four zero-day vulnerabilities within OpenVPN, the world's leading VPN solution. These…
Operation PANDORA has successfully dismantled a network of 12 fraudulent call centers, dealing a significant…