From URSNIF IoCs to Software Spoofing | WhoisXML API

Threat Reports

From URSNIF IoCs to Software Spoofing: Using DNS Intel to Connect the Dots

The URSNIF banking Trojan has consistently evolved throughout the years, threatening financial organizations with data theft. It was recently seen being used by TA544 to target Italian banks.

More than 40 IP addresses and domains were publicly listed1, 2, 3, 4 as URSNIF indicators of compromise (IoCs). WhoisXML API researchers subjected them to a DNS intelligence analysis to uncover more connected artifacts, including:

  • 18 IP- and email-connected artifacts, eight of which were flagged as malicious based on a bulk malware check 
  • 1,067 string-connected artifacts likely targeting Avast and Debian
  • 653 unique IP addresses hosting the string-connected artifacts, some of which were malicious according to a bulk malware check

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion
  • [2] https://otx.alienvault.com/pulse/64ca52f8517d45663b05655d
  • [3] https://otx.alienvault.com/pulse/64c3b9dc8c9f288d10c98fe9
  • [4] https://otx.alienvault.com/pulse/64b7cdb9fe627a02501b2be1
  • [5] https://otx.alienvault.com/pulse/64d3b6cc6616bf4a9ef77b54
Try our WhoisXML API for free
Get started