Ursnif – D E C E I V E R . I O

Deceive, Detect, Engage

Ursnif Trojan – Stealthy Memory Execution

T1566.001 – Attackers send emails containing a malicious LNK file disguised as a PDF document, likely targeting business professionals in the United States.

T1140 – The LNK file uses certutil.exe to decode a Base64-encoded payload.

T1562.004 – The malware uses PowerShell commands to disable Windows Defender.

T1059.003 – The decoded payload is executed using cmd.exe, leading to the execution of the Ursnif banking Trojan.

T1071.001 – The malware establishes communication with a command-and-control (C2) server using web protocols, likely HTTP or HTTPS.

T1041 – The malware exfiltrates stolen sensitive information, such as banking credentials and personal data, to the C2 server.

Ursnif Banking Trojan

The Ursnif banking trojan may be present in the environment, utilizing memory injection techniques to evade detection and maintain persistence.

Tag: Ursnif

Ursnif Trojan – Stealthy Memory Execution

Ursnif Banking Trojan

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense