Karsten Hahn: fileless Ursnif/Gozy static analysis and unpacking

The malware analyst Karsten Hahn recently published a very interesting video about the analysis of a sample of the well-known malware Ursnif.

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, spearphishing attacks and malicious links.

Hahn analyzed a specific variant of the malware:

Gozi is delivered via SEO poisoning of malicious websites and delivered as JScript in a ZIP archive, often disguised as important document. After installation it is fileless, using the registry to reside in and inject the payload into legitimate processes. We analyze a Gozi sample and statically unpack the various stages of the infection chain.

The video

Used tools

Related posts

  1. Using .lnk files as zero-touch downloaders
  2. Weekly Cybersecurity Roundup #4
  3. Also Node.js has been used to perform a Living off the Land (LotL) attack
  4. PEpper: a python script to perform malware static analysis on Portable Executable format
  5. New version of FinFisher spyware used to spy on iOS and Android users in 20 countries