Ursnif, aka Gozi, is a popular Info-stealing malware that first emerged during 2012. Since then the malware has undergone several variations with the latest distribution using word document attachments with malicious Powershell commands. A new Ursnif campaign was recently observed targeting customers for various financial institutions in the US, Canada, and Italy.
This report describes known details of this campaign and the leveraged infrastructure. Malware and infrastructure artifacts for this campaign also showed possible targeting of software and technology service companies, indicating another targeting requirement for the attackers.
In January 2019, researchers reported on new Ursnif attacks leveraging file-less persistence using encoded Powershell commands delivered through malicious word documents. Powershell has become increasingly popular due to its ability to download second stage payloads and execute them in memory. This is particularly useful because it reduces the footprint on the infected system.
Download the full report: TIR-19-106-001.pdf