David Morán Aug 23, 2021 10 min read

Ursnif and Cerberus: A Combined Attack

On this occasion, we are going to talk about Ursnif, also known as Gozi, and how it uses the Cerberus functionalities to automate fraudulent bank transactions.

Ursnif is a banking trojan for Windows discovered in 2007 that has evolved over the years, remaining active today and being one of the most widespread trojans around. It has affected many different victims from around the world.

So much so that earlier this year, German banking users were affected by its malicious activity, and around March new variants were identified that targeted Italian banks. It should be noted that in this country, its impact was significantly striking compared to the rest.


These changes and this evolution could be due to several reasons, among which is the fact that around 2015, the source code of this malware was leaked and published on the GitHub version control platform.

This allowed other malware developers to add functionalities and make all kinds of changes to the malware's code, presumably creating new versions that could have been distributed across different campaigns.

Regarding its functionalities, in addition to the usual theft of banking credentials and other types of information that are common in this type of trojan, we found that Ursnif has the ability to collect information about the activity of the infected system, as well as user credentials for various applications, and it can track network and browsing activity, log keystrokes or store collected data to send to the control server.


Regarding its spread techniques, the banking malware has been efficiently distributed through malicious spam campaigns where the attacker pretends that the email is coming from an official body, a courier company that is delivering an alleged package, or a company that is sending an invoice.

All of this is intended to trick the user into downloading the attached file, usually a Microsoft Office document, and enabling its macros to continue with its malicious activity in order to ultimately infect the victim's computer.


INPS campaign. Source: Trendmicro.com

For example, last year, a campaign was detected that was taking advantage of the authority of the Italian institution INPS, an entity belonging to the public system, with the aim of persuading the user to open the attached file, having to enter a password that was indicated in the email. After achieving this, communication was established with a remote server and a DLL was downloaded to the victim's computer to end up infecting the system.

A Combined Attack

So far, we have seen how Gozi has usually operated in the past, but an important part of this article remains to be discovered. As we discussed at the beginning of it, new versions of this banking trojan have recently been discovered that are related to Cerberus, a banking trojan for Android that has been gaining popularity since its launch in 2019, and which we have already spoken extensively about in this report where we cover all its aspects and characteristics.


IOc Cerberus + APK: 40b8a8fd2f4743534ad184be95299a8e17d029a7ce5bc9eaeb28c5401152460d

Specifically, we are going to talk about what kind of relationship Gozi has with the Cerberus malware, and how some of its functionalities are used to automate fraudulent bank transfers from Italian banks.

Ursnif, in addition to infecting the victim's desktop operating system, tries to persuade the user to download a fraudulent application on their mobile device with which it will ultimately infect the device with the Android banking trojan.


Control servers and fraudulent domains. Source: Securityintelligence.com

Code Reception and Automation

Recent investigations into these new versions have uncovered that Ursnif developers are using components of the Cerberus malware in order to receive the two-factor authentication messages that banks send to users to confirm bank transfers between accounts. Therefore, in this regard and in this phase, trojan functionalities for Android are being used that allow attackers to evade the verification carried out by means of the SMS code sent by the bank.

Regarding automation, one of the purposes of Ursnif in this case is to automate the transactions that have previously been initiated in the browser of infected Windows systems. To do this, it has a functionality that allows it to swap out the International Bank Account Number (IBAN) and the Bank Identifier Code (BIC) for an account number controlled by the attacker who wishes to carry out the fraud.


Ursnif is a banking trojan for Windows discovered in 2007, which has been modified many times and has evolved over the years, currently being one of the most widespread and that affects entities in different parts of the world, especially users of Italian banking entities.

Recently, new versions have been detected in which we have seen how Ursnif is using the functionalities of Cerberus, a banking trojan for Android discovered in 2019 and that has been slowly gaining popularity since then, in order to automate fraudulent bank transactions in the accounts of users of Italian entities whose devices have been infected.

Seeing how this is not the first time that modifications in the behavior of Ursnif have been detected, it is important to continue paying attention to how it evolves, since although it was seen for the first time almost 15 years ago, it continues to be an important threat that is prepared to keep renewing itself.



David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.