The Ursnif Campaign identified as f1.pipen.at is a malware campaign involving the Ursnif banking Trojan, also known as Gozi. Ursnif is a well-known information-stealing malware primarily targeting banking credentials but also capable of broader data theft and system compromise. This campaign leverages spearphishing links (MITRE ATT&CK T1192) to deliver the payload, relying on user execution (T1204) to initiate infection. The attack chain includes compile-after-delivery techniques (T1500), where the malware is compiled on the victim's machine post-download, complicating detection. The campaign uses Windows utilities such as mshta (T1170) and regsvr32 (T1117) to execute malicious scripts or DLLs, techniques often employed to bypass security controls by abusing trusted system binaries (living-off-the-land). It also modifies the Windows registry (T1112) to maintain persistence or alter system behavior. Communication with command and control (C2) servers occurs over commonly used ports (T1043) and standard application layer protocols (T1071), helping the malware blend with normal network traffic and evade detection. The campaign is tagged with Cobalt Strike, indicating possible use of this penetration testing tool or its components for post-exploitation activities. Although the severity is marked as low in the source, the combination of sophisticated techniques and the use of trusted system tools suggests a stealthy and potentially impactful threat. No known exploits in the wild are reported, and no specific affected software versions are listed, implying this is a malware campaign rather than a vulnerability in a product. The campaign was first published in April 2020, and the threat level is moderate (3 out of an unspecified scale).

For European organizations, the Ursnif campaign poses risks primarily related to credential theft, data exfiltration, and potential lateral movement within networks. Financial institutions are especially at risk due to Ursnif's banking Trojan capabilities, which can lead to direct financial losses and compromise of sensitive customer data. The use of spearphishing links targets end users, making organizations with less mature security awareness programs vulnerable. The abuse of legitimate Windows utilities for execution and persistence complicates detection and response, potentially allowing attackers to maintain long-term access. The campaign's network communications over standard ports and protocols can evade perimeter defenses, increasing the likelihood of successful data exfiltration. Additionally, the presence of Cobalt Strike components suggests that attackers may escalate privileges or move laterally, threatening operational continuity and confidentiality. The impact extends beyond financial loss to reputational damage, regulatory penalties under GDPR for data breaches, and increased incident response costs.

European organizations should implement targeted defenses against spearphishing by enhancing user awareness training focused on identifying malicious links and attachments. Deploy advanced email filtering solutions that analyze URLs and attachments for malicious content. Employ application whitelisting and restrict the use of Windows utilities like mshta and regsvr32 to only approved scripts or processes, using tools such as AppLocker or Windows Defender Application Control. Monitor registry changes for suspicious modifications indicative of persistence mechanisms. Network monitoring should focus on detecting anomalous traffic over common ports and protocols, using behavioral analytics and threat intelligence feeds to identify C2 communications. Endpoint detection and response (EDR) solutions should be configured to detect compile-after-delivery behaviors and the use of living-off-the-land binaries. Incident response plans must include procedures for isolating infected hosts and conducting forensic analysis to identify lateral movement. Regularly update and patch systems to reduce the attack surface, even though no specific vulnerabilities are noted in this campaign. Finally, consider deploying deception technologies or honeypots to detect attacker activity early.