Fresh Ursnif (GOZI/ ISFB) campaign

Some Russian campaign running over leaked email spreads different kind of malware. Today on Yahoo mail has come some fresh Ursnif with 0 detections. |
The domain used for my email was inactive and there was no file for download, but I found it somewhere else.
In the pictures below will find the research steps:

Was easy to find a sample of malware using the SHA256 (d6c0ca87f712c0633eab5ac020ceaad2e256cd3251808ce7c7b45faf4042123e) on Google.
The .zip file is detected and this may be an advantage for the users IF they are using the Antivirus that have on his database this sample… but this is another discussion…
At this moment the VirusTotal says 18/57.. so is going to be better in a few hours.

Now.. extracting them one by one we have a good encrypted malware named Ursnif (GOZI/ ISFB). This malware is trying to steal baking credentials from his victims and the hacker may have access to the system.

I will not explain the whole process at this time but the way to do that you will find it on the recent post I’ve made:
https://www.prodefence.org/malware-analysis-gozi-ifsb-bank-trojan-aka-ursnif/

Useful links:
Urlscan with samples
VirusTotal .zip
VirusTotal .js
VirusTotal .bin

Alex Anghelus

SC Prodefence SRL CEO - Cyber Security, Pentesting & Ethical Hacking - Malware Analyst

SC ProDefence SRL - Cyber Security Services