Ursnif: Long Live the Steganography

description: nother wave of Ursnif attacks hits Italy. Ursnif is one of the most active banking trojan. It is also known as GOZI, in fact it is a fork of the original Gozi-ISFB banking Trojan that got its source code leaked in 2014 updating and evolving Gozi features over the years. Also in this variant, Ursnif use weaponized office document with a VBA macro embedded that act as a dropper and multi-stage highly obfuscated powershell scripts in order to hide the real payload. In addition, this Ursnif use also steganography to hide the malicious code and avoid AV detection.

publish date:

reference :

IOC Table
total 44
type value
domain postimg.cc
domain felipllet.info
domain fillialopago.info
domain nolavalt.icu
domain pereloplatka.host
domain roiboutique.ru
domain sendertips.ru
domain uusisnfbfaa.xyz
FileHash-SHA256 630b6f15c770716268c539c5558152168004657beee740e73ee9966d6de1753f
FileHash-SHA256 93dd4d7baf1e89d024c59dbffce1c4cbc85774a1b7bcc8914452dc8aa8a79a78
FileHash-SHA256 f30454bcc7f1bc1f328b9b546f5906887fd0278c40d90ab75b8631ef18ed3b7f
hostname i.postimg.cc
IPv4 185.158.248.142
IPv4 185.158.248.143
URL http://felipllet.info/
URL http://felipllet.info/images/_2F6AtPfWtHXRim/0cFVMW1_2BaNwvdljI/mzz4n5nmG/jTn4C8RIb8PaiVw9h_2B/DJdqRdlMKfY3ku5jYrN/zOJ_2FkDa23n6fyAHGD00a/T4zEHkGIoBvzA/aSUhKdWY/8m6ROFMpzOFMlT_2Fma3k6a/WOXc8o9seemX
URL http://felipllet.info/images/bPm2_2FGlWznVgZFf3/1auBaW2qM/nrrmlxxgwJE2uJdUAlWw/Wm6452U_2Fa5u0dT7yy/5Chi2ndUfHu6zaVTgTvJeB/6rb3W8GB6hlg1/J3GKJEUz/TIO6ixMGOX7FX112gIM60m5/ilxW6FUu7P/NHuSEaPN2/8St.avi
URL http://felipllet.info/images/wuXTrKoyPJwHrheOmiQM/oHjH96Ta8kW0BSnqOmd/VJeBRMeqVOxJSUs8bZlJ91/6DpYfOGBJiw4g/YxMOci_2/FG7VfanU4yvOJFFmOG_2FNW/LMgUO8_2Bz/mC9Zo7CRas5iE59qo/BeCCRkdwzVo1/pJUjZ5i8q2G/c.avi
URL http://fillialopago.info/
URL http://fillialopago.info/~DF2F63
URL https://fillialopago.info/
URL http://i.postimg.cc/PH6QvFvF/mario.png?dl=1
URL https://i.postimg.cc/3JMLsHtJ/1.jpg
URL https://i.postimg.cc/3xPcY4G7/36368-w400-r400-225-43e9861.png
URL https://i.postimg.cc/7Y5xrHp4/polvcer.jpg
URL https://i.postimg.cc/7hrLQh4H/mix2.jpg
URL https://i.postimg.cc/9X11gr9k/Th-o-de-Amorim.png
URL https://i.postimg.cc/BvkXWkYm/mix3.jpg
URL https://i.postimg.cc/Bvz6Z0tr/13.jpg
URL https://i.postimg.cc/D099NvFF/Screenshot-194.png
URL https://i.postimg.cc/DzQZs1TH/79-DEB208-8741-428-F-BB89-5-DAFD19439-C7.jpg
URL https://i.postimg.cc/MHhSdPmP/Screen-Shot-2019-01-22-at-11-55-35-PM.png
URL https://i.postimg.cc/P57sDpk0/mix1.jpg
URL https://i.postimg.cc/Zn6ZFNB6/mix1.jpg
URL https://i.postimg.cc/mkwpVV2j/2019-02-02-12-34-23.jpg
URL https://i.postimg.cc/nrSbsVkK/mix4.jpg
URL https://i.postimg.cc/pXcDtcZ1/1.jpg
URL https://i.postimg.cc/pxRsM7LM/IMG
URL https://i.postimg.cc/tR6XHKS7/mix2.jpg
URL https://i.postimg.cc/wvPWg0Kq/big.jpg
URL https://i.postimg.cc/zfDwKBRk/DSC-0665-Versione-2.jpg
URL http://felipllet.info
URL https://fillialopago.info/~DF2F63
URL https://i.postimg.cc/PH6QvFvF/mario.png?dl=1