From URSNIF IoCs to Software Spoofing: Using DNS Intel to Connect the Dots
The URSNIF banking Trojan has consistently evolved throughout the years, threatening financial organizations with data theft. It was recently seen being used by TA544 to target Italian banks.
More than 40 IP addresses and domains were publicly listed1, 2, 3, 4 as URSNIF indicators of compromise (IoCs). WhoisXML API researchers subjected them to a DNS intelligence analysis to uncover more connected artifacts, including:
- 18 IP- and email-connected artifacts, eight of which were flagged as malicious based on a bulk malware check
- 1,067 string-connected artifacts likely targeting Avast and Debian
- 653 unique IP addresses hosting the string-connected artifacts, some of which were malicious according to a bulk malware check
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
-  https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion
-  https://otx.alienvault.com/pulse/64ca52f8517d45663b05655d
-  https://otx.alienvault.com/pulse/64c3b9dc8c9f288d10c98fe9
-  https://otx.alienvault.com/pulse/64b7cdb9fe627a02501b2be1
-  https://otx.alienvault.com/pulse/64d3b6cc6616bf4a9ef77b54