Researchers at Seculert have conducted an extensive analysis of the Ursnif banking Trojan and, in addition to finding a few improvements, they identified some mistakes made by the threat’s developers.
One of the changes spotted by experts is related to the malware’s sleeping feature, which increases its chances of evading sandbox detection. Sandboxing solutions typically analyze a file for only 2-3 minutes before moving on to the next sample. If a piece of malware becomes active only after a few minutes, it’s more likely to evade detection.
Earlier variants of Ursnif used sleep functions such as WaitForSingleObject or WaitForMultipleObjects for this task. However, the Trojan’s developers recently started relying on Microsoft’s Timers API, which, according to Seculert, is a unique approach.
Researchers also noticed some changes in the way Ursnif obfuscates outbound traffic in an attempt to avoid being detected by network security solutions that rely on communication pattern signatures to identify threats.
The domain generation algorithm (DGA) observed by experts in the new Ursnif variant creates domain names using words taken from a “license.txt” file hosted on Apple’s official website. However, the DGA is poorly coded and it contains a logic flaw that leads to the loss of one of the words creating the domain name.
“I believe the malware authors have no idea they have such a bug in their code because they are probably using the exact same piece of code to know which domains they should buy,” Ariel Koren, security researcher at Seculert, explained in a blog post.
Ursnif was one of the six banking Trojan families recently spotted targeting users in Canada. After reverse engineering its DGA, Seculert sinkholed one of the C&C domains and found a total of nearly 7,000 Ursnif infections over a period of five days. The highest number of infections was in Canada (3,734), followed by Poland (1,163) and the United States (958).
Koren pointed out that the DGA allows cybercriminals to easily change the file that provides the wordlist used for generating domain names.
Another mistake made by Ursnif developers is that they left behind some code that makes it easy to run the malware in virtual environments. In order to conduct tests on their own virtual machines, the developers added a check that instructs the malware to ignore verifying the presence of virtual machines if the file “C:321.txt” exists on the system. This allows researchers to analyze the malware in VMs without making any configuration changes simply by adding the “321.txt” file to the system.
Related Reading: Carberp Successor Bolek Banking Trojan Emerges
Related Reading: Gozi Banking Trojan Campaigns Target Global Brands
Related Reading: Ramnit Banking Trojan Resumes Activity

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April
- US to Adopt New Restrictions on Using Commercial Spyware
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
- Australia Dismantles BEC Group That Laundered $1.7 Million
- ‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns
- Webinar Tomorrow: Understanding Hidden Third-Party Identity Access Risks
- GitHub Rotates Publicly Exposed RSA SSH Private Key
