Ursnif malware also known as Gozi ISFB, is a variant of the original Gozi banking Trojan, which leaked its source code online in 2014.
Intially usnif Malware distributed via Spam Email that contains a fake document, typically purchase order, invoice .
This malware campaign uses an already well-known payload delivery method which employs Microsoft Excel documents containing a malicious VBA macro.
Once the targeted victims will enable the Macro then it initially checks the victim country using the Application
Later some of the obfuscation function of the Macro code will execute the
several strings encoded shell that will be converted into new Powershell command.
According to yoroi research,” the malware tries to download an image from at least one of two embedded URLs:
The apparently legit image actually contains a new Powershell command. The weaponized image is crafted using the Invoke-PSImage script, which allows to embeds the bytes of a script into the pixels of a PNG file. “
download malicious binary which will be injected into
Finally it complete the decryption process and the stolen data will be stored in the register key that is set by the malware.
“So, using the Powershell script stored into regkey (shown above), Ursnif is able to allocate space enough for its malicious byte array, containing the final payload, and to start it as legit process’ thread through QueueUserAPCand SleepEx calls.”
When the DLL has check it in the virus total , there are no detection occurred and all the AV engine shows it as clean.
“New Ursnif sample uses the same APC injection technique to instill its final binary into
This blog post was authored by Antonio Farina, Davide Testa and Antonio Pirozzi of Cybaze-Yoroi Z-LAB