* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Endpoint](https://www.paloaltonetworks.com.au/blog/category/endpoint-2/)
* Traps Sniffs Out Ursnif B...

# Traps Sniffs Out Ursnif Banking Trojan

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2017%2F06%2Ftraps-sniffs-ursnif-banking-trojan%2F)  
[](https://twitter.com/share?text=Traps+Sniffs+Out+Ursnif+Banking+Trojan&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2017%2F06%2Ftraps-sniffs-ursnif-banking-trojan%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2017%2F06%2Ftraps-sniffs-ursnif-banking-trojan%2F&title=Traps+Sniffs+Out+Ursnif+Banking+Trojan&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2017/06/traps-sniffs-ursnif-banking-trojan/&ts=markdown)  
\[\](mailto:?subject=Traps Sniffs Out Ursnif Banking Trojan)  
Link copied  
By [Eila Shargh](https://www.paloaltonetworks.com/blog/author/eila-shargh/?ts=markdown "Posts by Eila Shargh")  
Jun 06, 2017  
4 minutes  
[Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown)  
[Advanced Endpoint Protection](https://www.paloaltonetworks.com/blog/tag/advanced-endpoint-protection/?ts=markdown)  
[Traps](https://www.paloaltonetworks.com/blog/tag/traps/?ts=markdown)  
[Ursnif](https://www.paloaltonetworks.com/blog/tag/ursnif/?ts=markdown)

Ursnif (a.k.a Gozi), the well-known banking Trojan, continues to target millions of users all around the world. Unit 42 recently published a breakdown of the distribution networks used to deploy banking Trojans like [Ursnif](https://www.paloaltonetworks.com/blog/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/), specifically targeting Japan and several European nations. With its malware analysis evasion techniques, Ursnif has proven difficult for traditional security tools to detect.

**How Does It Work?**

Ursnif has used two primary delivery methods: malspam and exploit kits.

Most recently, Ursnif has been using malspam -- emails containing malicious attachments -- to target users in Japan. The attachment contains a JavaScript downloader that downloads Ursnif from a remote site and executes it on the user's machine. Other Ursnif malspam attacks have involved password-protected Office document attachments, a technique that minimizes detection by automated analysis tools. The body of the email contains a password to access the attachment, increasing the appearance of the email's legitimacy. When the victim opens the attachment, his or her system is infected, communication with a command-and-control server is established, and commands from the C2 server, such as installing additional threats, are sent periodically.

Ursnif has also been delivered via RIG exploit kits. When a victim visits a compromised website, he or she is redirected to the RIG landing page, from which the exploit profiles the victim's system to determine which attack will work best, delivers the attack to compromise the victim's browser, and delivers the malicious payload onto the victim's machine.

In both instances, the malicious payload can detect malware analysis tools and check for virtualization. If it determines itself to be in an analysis environment, the payload will avoid conducting malicious activity, making it challenging to detect.

**Why Is It Unique?**

Ursnif is a widespread, evolving threat that deploys multiple features through multiple attack vectors. Newer versions of the threat allow attackers to steal browsing data such as banking and credit card information, acquire passwords via screenshots and keylogging, execute arbitrary second payloads, infect additional files to further victimize other machines, and communicate peer-to-peer between different Ursnif instances in the same network.

**How Do You Stop It?**

Palo Alto Networks Traps uses a multi-method approach to malware and exploit prevention that block threats like Ursnif, regardless of whether they are delivered via exploit kits or malspam.

Traps examines macros in Microsoft Office files as the files are opened, performing local checks to determine if the macros are malicious or not. If a macro is malicious, it is prevented from executing. If unknown, the file containing the macro is examined by local analysis via machine learning. In this process, Traps examines various file characteristics to determine if the macro is malicious or benign. Using threat intelligence available from WildFire, a machine learning model is trained to detect malware, including never-before-seen variants. Additionally, if configured to do so, Traps will automatically send the file containing the macro to WildFire for a series of checks, including static, dynamic and bare metal analysis for full hardware execution, to identify even the most evasive threats, like Ursnif.

To prevent exploits, Traps takes a unique approach, focusing on the techniques used by all exploit-based attacks, which rarely change. Traps also prevents attackers from identifying and targeting vulnerable endpoints by blocking the profiling attempts used by exploit kits with its Exploit Kit Fingerprinting Protection Exploitation Prevention Module.

By focusing on the core exploitation techniques and blocking profiling attempts used by exploits, Traps can prevent exploits as soon as they are attempted and before an endpoint can be compromised.

**[Learn more about Traps multi-method approach to malware and exploit prevention.](https://www.paloaltonetworks.com/products/secure-the-endpoint/traps)**

*** ** * ** ***

[**Register for Ignite '17 Security Conference**](http://go.paloaltonetworks.com/ignite2017)  
*Vancouver, BC June 12--15, 2017*

Ignite '17 Security Conference is a live, four-day conference designed for today's security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the [Ignite website](http://www.paloaltonetworksignite.com/) for more information on tracks, workshops and marquee sessions.

*** ** * ** ***

## Related Blogs

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Introducing Traps for Android](https://www.paloaltonetworks.com.au/blog/2018/06/introducing-traps-android/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Traps "Recommended" in NSS Labs Advanced Endpoint Protection Test](https://www.paloaltonetworks.com.au/blog/2018/04/traps-recommended-nss-labs-advanced-endpoint-protection-test/)

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown)

[#### Traps Prevents Ransomware Attacks](https://www.paloaltonetworks.com.au/blog/2017/11/traps-prevents-ransomware-attacks/)

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown)

[#### Traps Prevents Microsoft Office Zero-Day](https://www.paloaltonetworks.com.au/blog/2017/10/traps-prevents-microsoft-office-zero-day/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown)

[#### Traps: Expanding Ransomware Protection for Current and Future Threats](https://www.paloaltonetworks.com.au/blog/2017/09/traps-4-1/)

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown)

[#### AV-TEST Validated: Traps Can Replace Legacy Antivirus](https://www.paloaltonetworks.com.au/blog/2017/08/av-test-validated-traps-can-replace-legacy-antivirus/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language