Researchers Uncovered C2 Infrastructure Used by Malware Ursnif

/in


C2 Infrastructure Ursnif

Bridewell’s Cyber Threat Intelligence (CTI) team has discovered previously undetected Ursnif infrastructure used in 2023 campaigns, suggesting that the malware operators have not yet utilized this highly elusive infrastructure.

Ursnif Banking Malware

Ursnif, originally a banking trojan also known as Gozi, has evolved into a ransomware and data exfiltration facilitator, with its latest variant, LDR4, being identified by Mandiant in June 2022, joining the ranks of malware like:-

In January 2023, a DFIR report highlighted a campaign involving the Urnsnif backdoor, followed by Cobalt Strike deployment and subsequent data exfiltration, with the added use of legitimate RMM tools Atera and Splashtop by the threat actor.

A phishing email was delivered to the Ursnif backdoor via a malicious ISO file. In March 2023, eSentire documented a Google Ads campaign using BatLoader to drop various second-stage payloads like Redline and Ursnif disguised as legitimate tools, followed by Cobalt Strike deployment for further intrusion activity in enterprise environments.

Ursnif Infrastructure Uncovered

In the pursuit of new Ursnif IP addresses, researchers examined recently published ones. They discovered distinctive characteristics within the associated SSL certificates, leading to the identification of potential hunting opportunities for these addresses in the wild.


By leveraging identifiable features and additional criteria, experts successfully pinpointed 72 additional servers of interest that aligned with their newly developed Ursnif hunting rule, allowing them to determine the geographical hosting locations and hosting providers associated with these servers.

Here in the below image, all the Hosting Providers are mentioned:-

Security vendors have yet to report or detect six of the 23 Ursnif C2 servers communicating with Ursnif files, despite researchers’ analysis identifying their existence.

Here below, we have mentioned those 6 detected C2 servers:-

  • 95[.]46[.]8[.]157
  • 193[.]164[.]149[.]143
  • 79[.]133[.]124[.]62
  • 45[.]11[.]181[.]117
  • 92[.]38[.]169[.]142
  • 31[.]214[.]157[.]31

After analysis, it was found that approximately 30%…

Source…