The Trojan Ursnif was tracked back to threats on at least 100 Italian banks. In Avast's view, malware operator has a strong interest in Italian objectives, which has resulted in a loss of credentials and financial information through attacks against these banks.
Avast researchers have discovered username, passwords, and credit card details, bank, and payment data which the Ursnif Banking Trojan operators seem to have seized from banking customers. They did not pinpoint the source of the details. However, details on payment cards are also sold on the dark web. In just one instance, over 1,700 credentials were stolen from an undisclosed payment processor.
Ursnif is malware that was originally discovered in 2007 as a banking trojan but has developed over the years. In several countries across the world, Ursnif has targeted consumers over the years, mostly using native-language e-mail lures. Ursnif is typically distributed via phishing emails, such as invoice demands and attempts to steal financial details and credentials of the account. Italy has been a major factor among Ursnif countries, a fact which is demonstrated in the information obtained from the researchers.
Referring to the Italian Financial CERT Avast says, "Our research teams have taken this information and shared it with the payment processors and banks we could identify. We've also shared this with financial services information sharing groups such as CERTFin Italy.”
The Italian project of Ursnif used a phishing campaign to email malicious attachments that get downloaded when opened, according to Fortinet. The malware Ursnif is sometimes sent using the malware loader says the company.
Username, device name, and system uptime, Ursnif gathers confidential information. According to Avast security researchers, these data are configured into packets and forwarded to the gang's command and control server. The Ursnif Trojan is spyware that controls traffic by taking screenshots and keylogging and obtains login credentials saved on browsers and mail applications.
Researchers from Datktrace have reported the 2020 malware campaign in a US bank attack. An employee who opened a malicious link unintentionally and inadvertently installed an executable file claiming to be a .cab extension received a phishing email. This file called for command-and-control servers (C2) registered in Russia just one day before the campaign launch and, thus, at the time of infection, the IPs weren't banned.
“With this information, these companies and institutions are taking steps to protect their customers and help them recover from the impact of Ursnif,” concludes AVAST.