Ursnif Redirection Of Discovery Commands

    Tuesday, October 8, 2024 In: Threat Research Print

    Date: 10/08/2024

    Severity: Medium

    Summary

    "Ursnif Redirection of Discovery Commands" refers to a technique used by the Ursnif malware to manipulate network traffic and redirect system discovery commands. Ursnif, a banking trojan, can intercept and alter commands sent from legitimate applications to gather sensitive information or execute malicious actions. This redirection allows attackers to gain unauthorized access to systems, exfiltrate data, and maintain persistence. Detecting this behavior is crucial for mitigating the impact of Ursnif and protecting sensitive information.

    Indicators of Compromise (IOC) List

    Image

    '\cmd.exe'

    CommandLine

    '\explorer.exe'

    ParentImage

    '/C '

    ' >> *\AppData\local\temp\*.bin'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (((resourcename in ("Sysmon") AND eventtype = "1") AND image = "\cmd.exe") AND ParentImage = "\explorer.exe" AND commandline in ("/C "," >> *\AppData\local\temp\*.bin"))

    Detection Query 2

    (((technologygroup = "EDR") AND image = "\cmd.exe") AND ParentImage = "\explorer.exe" AND commandline in ("/C "," >> *\AppData\local\temp\*.bin"))

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Malware/Ursnif/proc_creation_win_malware_ursnif_cmd_redirection.yml 


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.