Ursnif Malware C2 URL Pattern

 1title: Ursnif Malware C2 URL Pattern
 2id: 932ac737-33ca-4afd-9869-0d48b391fcc9
 3status: stable
 4description: Detects Ursnif C2 traffic.
 5references:
 6    - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
 7author: Thomas Patzke
 8date: 2019/12/19
 9modified: 2021/08/09
10tags:
11    - attack.initial_access
12    - attack.t1566.001
13    - attack.execution
14    - attack.t1204.002
15    - attack.command_and_control
16    - attack.t1071.001
17logsource:
18    category: proxy
19detection:
20    b64encoding:
21        c-uri|contains:
22            - '_2f'
23            - '_2b'
24    urlpatterns:
25        c-uri|contains|all:
26            - '.avi'
27            - '/images/'
28    condition: b64encoding and urlpatterns
29falsepositives:
30    - Unknown
31level: critical

References

• New Ursnif Variant Spreading by Word Document

  

  FortiGuard Labs recently captured a number of Word documents that were spreading a new variant of the Ursnif trojan. Learn more about how it operates and the techniques it uses. …

  
  Read More

Related rules

• Exploit for CVE-2017-0261
• Exploit for CVE-2017-8759
• Download From Suspicious TLD - Whitelist
• Suspicious Installer Package Child Process
• Arbitrary Shell Command Execution Via Settingcontent-Ms