Karsten Hahn: fileless Ursnif/Gozy static analysis and unpacking

The malware analyst Karsten Hahn recently published a very interesting video about the analysis of a sample of the well-known malware Ursnif.

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, spearphishing attacks and malicious links.

Hahn analyzed a specific variant of the malware:

Gozi is delivered via SEO poisoning of malicious websites and delivered as JScript in a ZIP archive, often disguised as important document. After installation it is fileless, using the registry to reside in and inject the payload into legitimate processes. We analyze a Gozi sample and statically unpack the various stages of the infection chain.

The video

Used tools

Related posts

  1. Some thoughts about Stuxnet
  2. How “Process Ghosting“ works
  3. Didier Stevens: finding Metasploit & Cobalt Strike URLs
  4. Using .lnk files as zero-touch downloaders
  5. Weekly Cybersecurity Roundup #4