Ursnif, also known as Gozi and ISFB, is a banking Trojan that primarily targets English-speaking countries. It was first discovered in 2007 and in 2010 its source code was unintentionally leaked ; which provided the basis for much of the legacy Ursnif variant diagnosis and detection. Dreambot is a newer variant (ca 2016) of Ursnif that incorporates capabilities such as Tor communications and peer-to-peer functionality .
Dreambot malware has been observed to spread via many of the conventional crimeware avenues to include exploit kits, e-mail attachments and links  . To evade automated malware analysis, Dreambot uses password protected macro attachments and also delays for 250 seconds prior to downloading the malware .
This threat advisory discusses how to detect Dreambot beaconing activity using RSA NetWitness Logs & Packets.
A system infected with Dreambot reaches out to its command and control server as follows:
The behavior is consistent across many Dreambot samples:
Then a Tor client is retrieved:
The check-in is different for other Dreambot variants:
Assuming that the appropriate meta keys are enabled, the following queries can be used to detect Dreambot network activity:
- Detect the check-in activity you can use:
action = 'get' && filename = '.avi' && extension = 'avi' && directory contains '/images/' && direction = 'outbound'
action = 'post' && directory begins '/images/' && query begins 'filename=' && extension = 'bin' && direction='outbound'
- Detect the Tor client retrieval you can use:
action = 'get' && filename = 'test32.dll',' t32.dll', ' t64.dll' && extension = 'dll' && directory contains '/tor/' && direction = 'outbound'
All the IOCs from those sessions were added to the following feeds on Live:
- RSA FirstWatch Command and Control Domains
- RSA FirstWatch Command and Control IPs
To find those IOCs using RSA NetWitness, please refer to this post.
In addition, the following Application Rule is now available on Live:
Below is a screenshot of the Application Rule detecting Dreambot traffic:
Thanks go to Rajas Save for contributing to this threat advisory.
- RIG EK at 220.127.116.11 Drops Dreambot – MALWARE BREAKDOWN
- New Password Protected Macro Malware evades Sandbox and Infects the victims with Ursnif Malware !! - Cysinfo