{"id":3010,"date":"2021-08-02T16:20:16","date_gmt":"2021-08-02T16:20:16","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3010"},"modified":"2026-06-08T23:10:58","modified_gmt":"2026-06-08T23:10:58","slug":"ursnif-campaign-august-2021","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/ursnif-campaign-august-2021\/","title":{"rendered":"Ursnif \u2014 2 August 2021 campaign"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In recent days, a new malspam campaign containing the Ursnif malware has been detected targeting Italy.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/pbs.twimg.com\/media\/E7SjppbWQAQopsy?format=png&amp;name=900x900\" alt=\"Image\" \/><figcaption>Source: <a href=\"https:\/\/twitter.com\/jh__1995\/status\/1419940991725936640\/photo\/1\" class=\"ek-link\">JAMESWT on Twitter: &#8220;@jh__1995 @malwrhunterteam Mentioned<\/a><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The Zip file contains a JS file that acts as a Dropper and connects to the following addresses:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>https:\/\/docs.zohopublic[.]eu\/downloaddocument.do?docId=674nid9fbf67b530c494389056fbaf4129f4b&amp;docExtn=zip<\/li><li>http:\/\/josymixmyhome[.]com.br\/site\/direct.php<\/li><li>https:\/\/docs.zohopublic[.]eu\/downloaddocument.do?docId=674ni1c6312a91d7149af89b6475ece38b9b3&amp;docExtn=png<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">To download a new Ursnif sample. This sample is then extracted and saved as <strong>direction.dll<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/08\/image-4.png\" alt=\"\" class=\"wp-image-3029\" loading=\"lazy\" \/><figcaption>Command to download the Ursnif sample<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">From the analysis performed on <strong>direction.dll<\/strong>, the sample employs a Defense Evasion mechanism. Specifically, it performs environment-type checks to detect execution within a sandbox and modifies its behavior accordingly, thereby complicating analysis. Additionally, the malware accepts input parameters, so its behavior varies based on arguments passed through the sample execution command.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>ATT&amp;CK Tactic<\/strong><\/td><td><strong>ATT&amp;CK Technique<\/strong><\/td><\/tr><tr><td>DEFENSE EVASION<\/td><td>Virtualization\/Sandbox Evasion::System Checks T1497.001<\/td><\/tr><tr><td>EXECUTION<\/td><td>Command and Scripting Interpreter::T1059<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">During execution, the sample contacts Command and Control servers at the following domains:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>alliances[.]bar<\/li><li>allianceline[.]bar<\/li><li>alliancer[.]bar<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/08\/image-3.png\" alt=\"\" class=\"wp-image-3013\" loading=\"lazy\" \/><figcaption>Connections to C2 servers during execution<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Static Analysis<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">JS File<\/h2>\n\n\n\n<h5 class=\"wp-block-heading\">Tag<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\"><mark><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#e91e63\" class=\"tadv-background-color\">Dropper<\/span><\/span><\/mark><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Details<\/h5>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>md5<\/strong><\/td><td>A8E17B6252ED7E3C9BDA4F55B2E3CAC9<\/td><\/tr><tr><td><strong>sha1<\/strong><\/td><td>E70B1DC096FDCE51C240D02BE32DEA3C6D3CE2E6<\/td><\/tr><tr><td><strong>sha256<\/strong><\/td><td>C36C266157D4E7B7B2DBC36D96BDE0086E31647B541B14DB70D9FE1E36BAE779<\/td><\/tr><tr><td><strong>file-size<\/strong><\/td><td>53 939 (bytes)<\/td><\/tr><tr><td><strong>entropy<\/strong><\/td><td>4.434<\/td><\/tr><tr><td><strong>Virustotal<\/strong><\/td><td>score: 26\/64<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">direction.dll<\/h2>\n\n\n\n<h5 class=\"wp-block-heading\">Tag<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\"><mark><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#e91e63\" class=\"tadv-background-color\">Ursnif<\/span><\/span><\/mark><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Details<\/h5>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>md5<\/strong><\/td><td>499200F6A8E223C057C6E16701740721<\/td><\/tr><tr><td><strong>sha1<\/strong><\/td><td>EF46F9C62B94715B750173074C51100285FF6FE9<\/td><\/tr><tr><td><strong>sha256<\/strong><\/td><td>D7E64F8E65CE586CE2F0A857810B2A23F85140BF5E52E5A824F09787FB2BF45E<\/td><\/tr><tr><td><strong>file-size<\/strong><\/td><td>258 504 (bytes)<\/td><\/tr><tr><td><strong>entropy<\/strong><\/td><td>6.406<\/td><\/tr><tr><td><strong>imphash<\/strong><\/td><td>D34313CE3555DEC95480BCAE2D5DEA6B<\/td><\/tr><tr><td><strong>cpu<\/strong><\/td><td>32-bit<\/td><\/tr><tr><td><strong>Virustotal<\/strong><\/td><td>score: 46\/64<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">IOC<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Dropper<\/strong><ul><li><strong>MD5<\/strong>: A8E17B6252ED7E3C9BDA4F55B2E3CAC9<\/li><li><strong>SHA1<\/strong>: E70B1DC096FDCE51C240D02BE32DEA3C6D3CE2E6<\/li><li><strong>SHA256<\/strong>: C36C266157D4E7B7B2DBC36D96BDE0086E31647B541B14DB70D9FE1E36BAE779<\/li><\/ul><\/li><li><strong>Ursnif<\/strong><ul><li><strong>MD5<\/strong>: 499200F6A8E223C057C6E16701740721<\/li><li><strong>SHA1<\/strong>: EF46F9C62B94715B750173074C51100285FF6FE9<\/li><li><strong>SHA256<\/strong>: D7E64F8E65CE586CE2F0A857810B2A23F85140BF5E52E5A824F09787FB2BF45E<\/li><\/ul><\/li><li>Domains for Ursnif sample download:<ul><li>https:\/\/docs.zohopublic[.]eu\/downloaddocument.do?docId=674nid9fbf67b530c494389056fbaf4129f4b&amp;docExtn=zip<\/li><li>http:\/\/josymixmyhome[.]com.br\/site\/direct.php<\/li><li>https:\/\/docs.zohopublic[.]eu\/downloaddocument.do?docId=674ni1c6312a91d7149af89b6475ece38b9b3&amp;docExtn=png<\/li><\/ul><\/li><li>C2 server domains:<ul><li>alliances[.]bar<\/li><li>allianceline[.]bar<\/li><li>alliancer[.]bar<\/li><\/ul><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The observed malspam campaign demonstrates the continued reliance on multi-stage delivery chains combining T1566.001 (Phishing: Spearphishing Attachment) with T1059 (Command and Scripting Interpreter) and T1497.001 (Virtualization\/Sandbox Evasion: System Checks). The adoption of parameterized execution and environment detection reflects operator sophistication in evading <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> collection and automated analysis platforms. Organizations should maintain vigilance against malspam vectors and implement behavioral detection mechanisms to identify sandbox-evasion patterns during execution.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ursnif campaign of 2 August 2021: Italian-language phishing waves, payload delivery patterns and host indicators across the latest infection set.<\/p>\n","protected":false},"author":1,"featured_media":3031,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3310,3151,3309,368],"class_list":["post-3010","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-august-2021","tag-banking-trojan","tag-italian-campaign","tag-ursnif"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3010","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3010"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3010\/revisions"}],"predecessor-version":[{"id":9910,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3010\/revisions\/9910"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3010"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3010"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}