A Series of Post-Exploitation Activities from an Ursnif Infection

Category: Malware Campaign | Industry: Global | Source: Kostas

In early July 2023, a security researcher under the handle Kostas reported an investigation into an Ursnif malware infection. The findings offer valuable insights into the malware's activities, revealing post-exploitation activities, including automated tasks executed by the malware, periods of deliberate inactivity indicating a coordinated criminal effort, and hands-on-keyboard activity. The initial infection was attributed to a phishing email containing a malicious PDF file. Upon execution, the Ursnif malware quickly performed a series of tasks to enumerate the host, establish persistence, and execute process injection. After 30 minutes, hands-on-keyboard actions were observed with additional discovery commands, PowerShell execution, and Cobalt Strike. Overall the observed activity spanned 10 hours between July 4th and July 5th. Kostas assesses the period activity as hand-over activity between different criminal groups, such as from initial access brokers to threat actors. "During the intrusion, it seemed like the infected host was shared among multiple groups. This is due to the long periods of inactivity observed, the different C2 channels as well as the repetitive enumeration commands on every newly established connection to a different C2 infrastructure," said Kostas.