Skip to content

Emerging Threats

Ursnif — 2 August 2021 campaign

· frtg · 3 min read

In recent days, a new malspam campaign containing the Ursnif malware has been detected targeting Italy.

Image
Source: JAMESWT on Twitter: “@jh__1995 @malwrhunterteam Mentioned

The Zip file contains a JS file that acts as a Dropper and connects to the following addresses:

  • https://docs.zohopublic[.]eu/downloaddocument.do?docId=674nid9fbf67b530c494389056fbaf4129f4b&docExtn=zip
  • http://josymixmyhome[.]com.br/site/direct.php
  • https://docs.zohopublic[.]eu/downloaddocument.do?docId=674ni1c6312a91d7149af89b6475ece38b9b3&docExtn=png

To download a new Ursnif sample. This sample is then extracted and saved as direction.dll.

Command to download the Ursnif sample

From the analysis performed on direction.dll, the sample employs a Defense Evasion mechanism. Specifically, it performs environment-type checks to detect execution within a sandbox and modifies its behavior accordingly, thereby complicating analysis. Additionally, the malware accepts input parameters, so its behavior varies based on arguments passed through the sample execution command.

ATT&CK TacticATT&CK Technique
DEFENSE EVASIONVirtualization/Sandbox Evasion::System Checks T1497.001
EXECUTIONCommand and Scripting Interpreter::T1059

During execution, the sample contacts Command and Control servers at the following domains:

  • alliances[.]bar
  • allianceline[.]bar
  • alliancer[.]bar
Connections to C2 servers during execution

Static Analysis

JS File

Tag

Dropper

Details
md5A8E17B6252ED7E3C9BDA4F55B2E3CAC9
sha1E70B1DC096FDCE51C240D02BE32DEA3C6D3CE2E6
sha256C36C266157D4E7B7B2DBC36D96BDE0086E31647B541B14DB70D9FE1E36BAE779
file-size53 939 (bytes)
entropy4.434
Virustotalscore: 26/64

direction.dll

Tag

Ursnif

Details
md5499200F6A8E223C057C6E16701740721
sha1EF46F9C62B94715B750173074C51100285FF6FE9
sha256D7E64F8E65CE586CE2F0A857810B2A23F85140BF5E52E5A824F09787FB2BF45E
file-size258 504 (bytes)
entropy6.406
imphashD34313CE3555DEC95480BCAE2D5DEA6B
cpu32-bit
Virustotalscore: 46/64

IOC

  • Dropper
    • MD5: A8E17B6252ED7E3C9BDA4F55B2E3CAC9
    • SHA1: E70B1DC096FDCE51C240D02BE32DEA3C6D3CE2E6
    • SHA256: C36C266157D4E7B7B2DBC36D96BDE0086E31647B541B14DB70D9FE1E36BAE779
  • Ursnif
    • MD5: 499200F6A8E223C057C6E16701740721
    • SHA1: EF46F9C62B94715B750173074C51100285FF6FE9
    • SHA256: D7E64F8E65CE586CE2F0A857810B2A23F85140BF5E52E5A824F09787FB2BF45E
  • Domains for Ursnif sample download:
    • https://docs.zohopublic[.]eu/downloaddocument.do?docId=674nid9fbf67b530c494389056fbaf4129f4b&docExtn=zip
    • http://josymixmyhome[.]com.br/site/direct.php
    • https://docs.zohopublic[.]eu/downloaddocument.do?docId=674ni1c6312a91d7149af89b6475ece38b9b3&docExtn=png
  • C2 server domains:
    • alliances[.]bar
    • allianceline[.]bar
    • alliancer[.]bar

The observed malspam campaign demonstrates the continued reliance on multi-stage delivery chains combining T1566.001 (Phishing: Spearphishing Attachment) with T1059 (Command and Scripting Interpreter) and T1497.001 (Virtualization/Sandbox Evasion: System Checks). The adoption of parameterized execution and environment detection reflects operator sophistication in evading Cyber Threat Intelligence collection and automated analysis platforms. Organizations should maintain vigilance against malspam vectors and implement behavioral detection mechanisms to identify sandbox-evasion patterns during execution.

Speak with our analysts Blog home