Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ursnif Trojan. Show all posts

Ursnif Banking Trojan is Back in Italy

 

The banking trojan 'Ursnif' (aka 'Gozi') is back in business in Italy, targeting a large range of banking users with mobile malware. According to the IBM's Trusteer Team's analysis, the stakeholders behind Ursnif now include "Cerberus," in their operations, a Trojan whose code had been leaked in September 2020 after a failing auction attempt. 

Ursnif is a banking trojan and is seen in several automated exploit kits, spreading attachments and dangerous links. Ursnif is primarily related to data theft, although its component versions also contain (backdoors, spyware, file injectors, etc.).

Cerberus is a mobile overlay malware that was first developed in the midst of 2019. Cerberus is allegedly utilized to get two-factor authentication codes in real-time during the attack whereas it is also useful to obtain the screen code from the lock and remotely operate the device. 

In September 2020, the development team of Cerberus agreed to dissolve, encouraging an endeavor to sell the source code to the highest bidder starting at $100,000. 

As IBM notes, Ursnif is arguably now the oldest existing banking malware, with its main focus being Italy. It will usually be sent through e-mail with an attached document with harmful macros - to various business addresses. After that Web injection takes over and calls on the targets to download a presumed safe software - essentially a mobile Trojan app. This is done using a QR code with an encoded string of base64. 

“If users scan the QR code, they will open a web page on their smartphone and be sent to a fake Google Play page featuring a corresponding banking app logo of the banking brand the victim originally attempted to access. The campaign, in this case, included several domains that were most likely registered for that purpose and reported in other malicious activity in the past, such as hxxps://play.google.servlce.store/store/apps/details.php?id=it.[BANK BRAND],” wrote Itzik Chimino, a researcher at Security Intelligence. 

Each domain that hosts bogus Google Play pages uses identical terms or typosquatting to make it appear legitimate. Examples include:
 google.servlce.store
 gooogle.services
 goooogle.services
 play.google.servlce.store
 play.gooogle.services
 play.goooogle.services 

For a few months, these malicious domains have also been on VirusTotal, and additional reports have accumulated over time.

For customers who fail to scan the QR code effectively, a download link will be provided that asks them to give their telephone number and then receive an SMS message with a malicious app link, that warns consumers about a service disruption if the app is failing to collect them. 

The remote server sends a download URL to allow users to unintentionally download the Cerberus malware if they enter a phone number on a website injector. This injection also retains device IDs for victims associated with their bot ID and account passwords. 

These URLs bring Cerberus on the mobile phone, while Ursnif is on the PC. The performers are therefore completely infected by the mixture of both instruments, while Ursnif still has a job. The malware hooks the desktop internet browser on this front and handles websites that are dynamically used for the purpose. 

One of Ursnif's primary measures is to automatically change the transaction-receiving IBAN with one that it manages. In particular, the actors only specify a parameter that enables this swap if the amount of the account exceeds €3,000. 

Finally, it is noteworthy that the injections are highly adaptive and the actors differentiate their method depending on the victim and the bank service that is faked. The actors have considered everything, including security problems, log-in times, and even a fake maintenance notice, to prevent the victim from viewing the real service portal. 

Further, it is advised to not download the app outside the Play Store and neither to click on any URLs received via SMS. If one receives any message that claims its source as some bank, avoid acting according to that instead visit or contact the bank personally.

100 Italian Banks Hit by Ursnif Trojan

 


The Trojan Ursnif was tracked back to threats on at least 100 Italian banks. In Avast's view, malware operator has a strong interest in Italian objectives, which has resulted in a loss of credentials and financial information through attacks against these banks. 

Avast researchers have discovered username, passwords, and credit card details, bank, and payment data which the Ursnif Banking Trojan operators seem to have seized from banking customers. They did not pinpoint the source of the details. However, details on payment cards are also sold on the dark web. In just one instance, over 1,700 credentials were stolen from an undisclosed payment processor. 

Ursnif is malware that was originally discovered in 2007 as a banking trojan but has developed over the years. In several countries across the world, Ursnif has targeted consumers over the years, mostly using native-language e-mail lures. Ursnif is typically distributed via phishing emails, such as invoice demands and attempts to steal financial details and credentials of the account. Italy has been a major factor among Ursnif countries, a fact which is demonstrated in the information obtained from the researchers. 

Referring to the Italian Financial CERT Avast says, "Our research teams have taken this information and shared it with the payment processors and banks we could identify. We've also shared this with financial services information sharing groups such as CERTFin Italy.” 

The Italian project of Ursnif used a phishing campaign to email malicious attachments that get downloaded when opened, according to Fortinet. The malware Ursnif is sometimes sent using the malware loader says the company.

Username, device name, and system uptime, Ursnif gathers confidential information. According to Avast security researchers, these data are configured into packets and forwarded to the gang's command and control server. The Ursnif Trojan is spyware that controls traffic by taking screenshots and keylogging and obtains login credentials saved on browsers and mail applications. 

Researchers from Datktrace have reported the 2020 malware campaign in a US bank attack. An employee who opened a malicious link unintentionally and inadvertently installed an executable file claiming to be a .cab extension received a phishing email. This file called for command-and-control servers (C2) registered in Russia just one day before the campaign launch and, thus, at the time of infection, the IPs weren't banned. 

“With this information, these companies and institutions are taking steps to protect their customers and help them recover from the impact of Ursnif,” concludes AVAST.