Info-stealing Malware Hits German and English-speaking Users

The Ursnif malware family is back, this time targeting the private data and financial activity of German, Russian and English-speaking users, Bitdefender warns.

ursnif_enFig 1. Spam email in English


Fig 2. Spam email in German


Fig 3. Spam email in Russian

Infection Data

According to data from Bitdefender’s antispam labs, some 10000 emails were sent as part of a global spam campaign targeting mostly Russian, German and English-speaking users.

Known as a spyware family, Ursnif is specialized in information gathering but is also capable of compromising a system completely. Ursnif usually propagates through spam emails, hides in an archive and awaits to be manually downloaded in order to be executed on the system. The sample analyzed by Bitdefender can execute a variety of operations based on the instructions it receives.

It can sniff credentials and other data related to Microsoft Outlook:

  • reg Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
  • reg Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

System data:

  • systeminfo.exe
  • taskslist.exe
  • driverquery.exe
  • reg.exe query “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” /s

Certificates and private keys from these locations:

  • My AddressBook
  • AuthRoot
  • CertificateAuthority
  • Disallowed
  • Root
  • TrustedPeople
  • TrustedPublisher

Ursnif can also restart the system, modify Windows Directory files and also collect or delete cookies or spy on the user’s browsing history. It can also take screenshots of the device screen.

The collected data is saved in temporary folders and is transmitted via HTTP to C&Cs which are generated using text from the US declaration.

The encrypted code has a section which contains configuration data that may change from sample to sample. In this case, the configuration data contains URLs and details about different banking services and processes.


Fig 4. Decrypted config file

Bitdefender detects and blocks this threats as Gen:Variant.Kazy.616358, hash d2eed7c7a412246816ce3f9c67c40b39.

Bitdefender advises users to regularly update their AV solution in order to fend off keyloggers, spyware and other persistent threats.

This article is based on the technical information provided courtesy of Bitdefender Senior Antispam Researcher Adrian MIRON, malware researchers Victor LUNCASU, Alexandru RUSU and Ivona CHILI.

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.