Sniffing Out URSNIF

Written by: Ryan Angelo Certeza

URSNIF is a family of spyware notorious for adopting different behaviors from other malware types (e.g., backdoors, file infectors). This is a trait allows the malware to avoid detection, enhancing the effectiveness of its info-stealing routines. It has been spotted infecting users from the U.S. and in the U.K. since December 2014.
The most notable behaviors URSNIF has been found adopting from different malware types include:
  • file infection
  • code injection into certain processes
  • API-hooking onto active browsers
  • taking screenshots of browser activity
  • backdoor routines (performing commands of remote malicious users)
As more variants are discovered, so too does the number of behaviors that URSNIF adopts, which shows us that cybercriminals can adjust the features and capabilities of their malicious creations to make them much more damaging.

How does URSNIF arrive into users’ systems?

URSNIF variants often arrive at users’ systems by being downloaded from remote sites by other malware or through spammed messages. Besides this, some variants have been spotted to spread to other systems via removable drives and network shares.

What happens when URSNIF infects systems?



The infection routines of URSNIF vary from variant to variant. A typical infection proceeds as follows.
  • Once inside a system, an URSNIF variant drops a copy of itself.
  • It creates registry entries to ensure automatic execution during system startup.
  • It injects itself into certain processes, such as explorer.exe, smss.exe, and csrss.exe.
  • It searches for and infects files with certain types/extensions, such as .PDF and .EXE.
  • It gathers system information from the affected system, specifically, digital certificates, computer name, processes, contents of specific registries, cookies, and drivers. It may also take screenshots of browser activities.
  • It may also communicate to a C&C server to send the gathered information, and to perform commands from remote malicious users.
How does this threat affect users?

URSNIF affects users by stealing their personal information, such as online banking account credentials, with its information-stealing routines. URSNIF does this by hooking various executables and APIs onto active browsers to monitor activity. This allows the malware to spy/steal on the information sent and received during the times when the browser is being used. This can lead to financial losses for the victim. Stolen funds from victims may also be used to sponsor cybercriminal activities.

Screenshots of browser activities are also taken, which violates privacy. The screenshots may capture details or activities that a user may not wish to share with anyone. This can lead to reputation damage and/or be used as leverage for blackmail.

Why is this threat notable?

URSNIF is notable because it does not only come in various threat types with multiple information-stealing features, but it also sports file infection routines that helps it to evade detection. The fact that its variants can come in many different forms and infect files in multiple ways gives it a polymorphic nature. Each possible variant may require a completely different detection that traditional security solutions may not have at the time of infection.

Recently found variants, such as PE_URSNIF, also sport a unique evasion technique involving .PDF files: It “embeds” each PDF file it finds into itself and its copies. As such, when the user executes the disguised malware, the PDF file itself also opens, concealing the malware’s activation. The PDF file itself remains uninfected; it is only being “hosted” by the malware itself.

The fact that the cybercriminals behind URSNIF are continuously adding routines to their creation also makes this a still-extant threat to end-users, and as such should be taken into serious consideration.

Are Trend Micro users protected from this threat?

Yes. Through the Trend Micro™ Smart Protection Network™ with its three-fold correlation engines, URSNIF, together with all its variants, components, and related spam/elements, is blocked from systems with Trend Micro solutions installed.

What can users do to prevent these threats from affecting their computers? What should they do if they suspect infection?

Users can protect themselves by adhering to the following best practices:
  • Treat every removable drive as potential infectors. Never plug a removable drive, even if it’s from a trusted source, into a system that does not have a security solution installed.
  • Delete any suspicious-looking emails you receive, especially if they sport links and/or attachments. Don’t even open them. Just delete them.
  • Install a security solution that also covers email in its protective scope. This should remove the chance of you accidentally opening malicious email/malicious attachments in the first place.
  • If you suspect URSNIF infection, immediately change your online banking account passwords using a different, and hopefully uninfected, system. Immediately call your bank so they can be on the lookout for any fraudulent transactions related to your account taking place. Do the same for any account that you may have accessed using your infected system.
Besides these tips, IT administrators should also properly configure network sharing, one of the ways with which URSNIF can spread. For example, computers shouldn’t be given blanket access within the network. Network access can also be configured to “read only,” not “read-write.”