The code of the malware has been around for more than 10 years, but attackers still find new ways to make it more dangerous.
A new variant of an infamous trojan banking malware with a ten-year history has emerged with new tactics to make it harder to detect. The malware aims to hunt for financial information, usernames, passwords, and other sensitive data.
Ursnif banking Trojan is one of the most common forms of information robbing malware that targets Windows PCs, and has been around in one form or another since it first appeared in Gozi banking Trojan at least in 2007.
In recent years, the source code has become very popular after the GitHub has been leaked, allowing cyber criminals around the world to take it and add new features to the malware.
Now researchers at the Cybereason security company have uncovered a new, previously undocumented Ursnif version that uses different, sturdier infection tactics than other campaigns. This includes what researchers call “last minute persistence,” a way to install malicious payload that ensures that it is less likely to be uncovered.
“The last-minute persistence is a very clever and stiff way for the malware to enter its key and files just before the system shuts, so it’s not there for more than a couple of seconds while the machine is on,” said assaf Dahan, senior threat hunting director at Cybereason.
Ursnif is run and injected before the registry keys and malware installation files get deleted only when the user logs on again, in order to give security software few opportunities to discover it.
Those behind this Ursnif campaign also use a multi stage drop process to ensure the lowest detection chance and the highest success rate. The attack starts with the description of researchers as generic, but quite effective phishing e-mails that ask the victim to open an attachment–usually a fake bill that calls on users to activate macros.
Following this request, it allows the execution of a PowerShell command that downloads an image hosted on a file sharing site–stenography is used to hide a payload within the image that starts the next stage of the process once it has been decrypted.
This payload is Bebloh, a bank trojan, but for Ursnif this campaign is used as a dropper. Researchers think the first bank trojan is used to ensure that the target is not in fact a sandbox on a virtual machine, so that Ursnif is not deployed in an environment where it can be analyzed.
Following another series of tests to double-check, the new Ursnif payload runs on the infected machine and is not running in what it considers a hostile environment.
In addition to the new persistence system, this version of Ursnif includes new stallions that allow the attacker to remove information from emails and browsers with more than just bank details and passwords, which may also steal data and provide a wealth of sensitive information.
Microsoft Outlook, Internet Explorer and Mozilla Thunderbird seem especially targeted, since attackers are searching for additional stolen data. This version of Ursnif also has the ability to steal bitcoin and other cryptocurrency wallet packages.
“In recent years we have witnessed the increasing involvement of banking Trojans in information stealing, and not just financial data, which could be tied to a shift in user behaviour. This specific Ursnif campaign seems to focus on Japanese and Japanese banks to the point where if the malware detects that the computer is not located in Japan, it will stop to avoid detection in other countries.
Researchers could not identify the operation under the recent Ursnif campaign, Dahan told that there is evidence suggesting that it relates to the cybercriminal operation Cutwail Botnet, a operation that has operated since 2007–the same year that the code behind Ursnif first appeared.
Cybereason provided the Compromise Indicators and advice on the avoidance of infection in their Ursnif analysis.