Potential Ursnif Malware Activity - Registry
Detects registry keys related to Ursnif malware.
Sigma rule (View on GitHub)
1title: Potential Ursnif Malware Activity - Registry
2id: 21f17060-b282-4249-ade0-589ea3591558
3status: test
4description: Detects registry keys related to Ursnif malware.
5references:
6 - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
7 - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
8author: megan201296
9date: 2019/02/13
10modified: 2023/02/07
11tags:
12 - attack.execution
13 - attack.t1112
14logsource:
15 product: windows
16 category: registry_add
17detection:
18 selection:
19 EventType: CreateKey
20 TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\'
21 filter:
22 TargetObject|contains:
23 - '\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\'
24 - '\SOFTWARE\AppDataLow\Software\Microsoft\RepService\'
25 - '\SOFTWARE\AppDataLow\Software\Microsoft\IME\'
26 - '\SOFTWARE\AppDataLow\Software\Microsoft\Edge\'
27 condition: selection and not filter
28falsepositives:
29 - Unknown
30level: high
References
-
Introduction Another wave of Ursnif attacks hits Italy. Ursnif is one of the most active banking trojan. It is also known as GOZI, in fact it is a fork of the original Gozi-ISFB banking Trojan that got its source code leaked in 2014 updating and evolving Gozi features over the years. Also in this variant, […]
Read More -
A spam campaign we observed in September indicates attackers are angling towards a more sophisticated form of phishing. The campaign uses hijacked email accounts to deliver URSNIF as part of or as a response to an existing email thread.
Read More
Related rules
- Registry Entries For Azorult Malware
- Removal of Potential COM Hijacking Registry Keys
- Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
- Terminal Server Client Connection History Cleared - Registry
- Renamed FTP.EXE Execution