Potential Ursnif Malware Activity - Registry
Detects registry keys related to Ursnif malware.
Sigma rule (View on GitHub)
1title: Potential Ursnif Malware Activity - Registry
2id: 21f17060-b282-4249-ade0-589ea3591558
3status: test
4description: Detects registry keys related to Ursnif malware.
5references:
6 - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
7 - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
8author: megan201296
9date: 2019-02-13
10modified: 2023-02-07
11tags:
12 - attack.execution
13 - attack.t1112
14 - detection.emerging-threats
15logsource:
16 product: windows
17 category: registry_add
18detection:
19 selection:
20 EventType: CreateKey
21 TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\'
22 filter:
23 TargetObject|contains:
24 - '\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\'
25 - '\SOFTWARE\AppDataLow\Software\Microsoft\RepService\'
26 - '\SOFTWARE\AppDataLow\Software\Microsoft\IME\'
27 - '\SOFTWARE\AppDataLow\Software\Microsoft\Edge\'
28 condition: selection and not filter
29falsepositives:
30 - Unknown
31level: high
References
-
Introduction Another wave of Ursnif attacks hits Italy. Ursnif is one of the most active banking trojan. It is also known as GOZI, in fact it is a fork of the original Gozi-ISFB banking Trojan that got its source code leaked in 2014 updating and evolving Gozi features over the years. Also in this variant, […]
Read More -
A spam campaign we observed in September indicates attackers are angling towards a more sophisticated form of phishing. The campaign uses hijacked email accounts to deliver URSNIF as part of or as a response to an existing email thread.
Read More
Related rules
- Blue Mockingbird
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird - Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry