Researchers Uncovered C2 Infrastructure Used by Baking Malware Ursnif

Bridewell’s Cyber Threat Intelligence (CTI) team has discovered previously undetected Ursnif infrastructure used in 2023 campaigns, suggesting that the malware operators have not yet utilized this highly elusive infrastructure.

Ursnif Banking Malware

Ursnif, originally a banking trojan also known as Gozi, has evolved into a ransomware and data exfiltration facilitator, with its latest variant, LDR4, being identified by Mandiant in June 2022, joining the ranks of malware like:-

• Emotet
• Trickbot

In January 2023, a DFIR report highlighted a campaign involving the Urnsnif backdoor, followed by Cobalt Strike deployment and subsequent data exfiltration, with the added use of legitimate RMM tools Atera and Splashtop by the threat actor.

A phishing email was delivered to the Ursnif backdoor via a malicious ISO file. In March 2023, eSentire documented a Google Ads campaign using BatLoader to drop various second-stage payloads like Redline and Ursnif disguised as legitimate tools, followed by Cobalt Strike deployment for further intrusion activity in enterprise environments.

Ursnif Infrastructure Uncovered

In the pursuit of new Ursnif IP addresses, researchers examined recently published ones. They discovered distinctive characteristics within the associated SSL certificates, leading to the identification of potential hunting opportunities for these addresses in the wild.

By leveraging identifiable features and additional criteria, experts successfully pinpointed 72 additional servers of interest that aligned with their newly developed Ursnif hunting rule, allowing them to determine the geographical hosting locations and hosting providers associated with these servers.

Here in the below image, all the Hosting Providers are mentioned:-

Security vendors have yet to report or detect six of the 23 Ursnif C2 servers communicating with Ursnif files, despite researchers’ analysis identifying their existence.

Here below, we have mentioned those 6 detected C2 servers:-

• 95[.]46[.]8[.]157
• 193[.]164[.]149[.]143
• 79[.]133[.]124[.]62
• 45[.]11[.]181[.]117
• 92[.]38[.]169[.]142
• 31[.]214[.]157[.]31

After analysis, it was found that approximately 30% of the infrastructure revealed communication with files detected as Ursnif, with an average detection rate of only 4.78 in Virus Total among the identified Ursnif C2s; moreover, around 71.3% of the IP addresses showed no communication with any files.

Ursnif, a backdoor employed by threat actors, poses a significant risk to organizations as it is a gateway to ransomware and data exfiltration.

At the same time, it is typically distributed through malicious documents like macro-enabled office files or malicious installers obtained through Google Ad campaigns.

Ursnif has evolved from a banking trojan to aiding ransomware attacks and can be tracked by CTI teams through its C2 infrastructure, enabling defenders to respond quickly and prevent ransomware intrusions.

Mitigations

Here below, we have mentioned all the mitigations recommended by the cybersecurity researchers:-

• Ensure that your employees know the risks of opening attachments sent from unknown or suspicious sources.
• Limit unauthorized applications from untrusted sources with an application control policy.
• To detect and prevent Ursnif infections, ensure your organization uses the latest version of antivirus software and firewalls.
• Implement reference sets for detecting IoCs listed in the appendix.
• To ensure your organization is secure, it’s essential to implement a Managed Detection and Response (MDR) service that proactively monitors, detects, and responds to threats that target it.
• Assess and remediate vulnerabilities within your organization’s network and systems with a Vulnerability Management service.
• Enhance your organization’s cybersecurity posture with a Cyber Threat Intelligence (CTI) service.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus