Karsten Hahn: fileless Ursnif/Gozy static analysis and unpacking

The malware analyst Karsten Hahn recently published a very interesting video about the analysis of a sample of the well-known malware Ursnif.

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, spearphishing attacks and malicious links.

Hahn analyzed a specific variant of the malware:

Gozi is delivered via SEO poisoning of malicious websites and delivered as JScript in a ZIP archive, often disguised as important document. After installation it is fileless, using the registry to reside in and inject the payload into legitimate processes. We analyze a Gozi sample and statically unpack the various stages of the infection chain.


The video


Used tools

Related posts

  1. Didier Stevens: finding Metasploit & Cobalt Strike URLs
  2. Using .lnk files as zero-touch downloaders
  3. Weekly Cybersecurity Roundup #4
  4. Also Node.js has been used to perform a Living off the Land (LotL) attack
  5. PEpper: a python script to perform malware static analysis on Portable Executable format