Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New Ursnif Variant Shows Developers Are Careless

Researchers at Seculert have conducted an extensive analysis of the Ursnif banking Trojan and, in addition to finding a few improvements, they identified some mistakes made by the threat’s developers.

Researchers at Seculert have conducted an extensive analysis of the Ursnif banking Trojan and, in addition to finding a few improvements, they identified some mistakes made by the threat’s developers.

One of the changes spotted by experts is related to the malware’s sleeping feature, which increases its chances of evading sandbox detection. Sandboxing solutions typically analyze a file for only 2-3 minutes before moving on to the next sample. If a piece of malware becomes active only after a few minutes, it’s more likely to evade detection.

Earlier variants of Ursnif used sleep functions such as WaitForSingleObject or WaitForMultipleObjects for this task. However, the Trojan’s developers recently started relying on Microsoft’s Timers API, which, according to Seculert, is a unique approach.

Researchers also noticed some changes in the way Ursnif obfuscates outbound traffic in an attempt to avoid being detected by network security solutions that rely on communication pattern signatures to identify threats.

The domain generation algorithm (DGA) observed by experts in the new Ursnif variant creates domain names using words taken from a “license.txt” file hosted on Apple’s official website. However, the DGA is poorly coded and it contains a logic flaw that leads to the loss of one of the words creating the domain name.

“I believe the malware authors have no idea they have such a bug in their code because they are probably using the exact same piece of code to know which domains they should buy,” Ariel Koren, security researcher at Seculert, explained in a blog post.

Ursnif was one of the six banking Trojan families recently spotted targeting users in Canada. After reverse engineering its DGA, Seculert sinkholed one of the C&C domains and found a total of nearly 7,000 Ursnif infections over a period of five days. The highest number of infections was in Canada (3,734), followed by Poland (1,163) and the United States (958).

Koren pointed out that the DGA allows cybercriminals to easily change the file that provides the wordlist used for generating domain names.

Another mistake made by Ursnif developers is that they left behind some code that makes it easy to run the malware in virtual environments. In order to conduct tests on their own virtual machines, the developers added a check that instructs the malware to ignore verifying the presence of virtual machines if the file “C:321.txt” exists on the system. This allows researchers to analyze the malware in VMs without making any configuration changes simply by adding the “321.txt” file to the system.

Related Reading: Carberp Successor Bolek Banking Trojan Emerges

Related Reading: Gozi Banking Trojan Campaigns Target Global Brands

Related Reading: Ramnit Banking Trojan Resumes Activity

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.