Ursnif Banking Trojan Uses New Tactic to Spread More Rapidly

A new strain of the Ursnif banking Trojan has been identified and the actors to blame for the latest campaign have implemented a new tactic to spread the malware more quickly.

The Ursnif banking Trojan is one of the most often witnessed Trojans. As is the case with other banking Trojans, the purpose of the Ursnif Trojan is to take away credentials such as logins to banking websites, corporate bank details, and credit card information. The stolen credentials are then used to complete financial transactions. It is not unusual for accounts to be drained prior to the transactions being discovered, by which time the funds have cleared, have been withdrawn, and the criminal’s account has been closed. Recovering the stolen funds may not be impossible.

Infection will result in the malware stealing a wide range of sensitive data, capturing credentials as they are typed into the browser. The Ursnif banking Trojan also captures screenshots of the infected device and logs keystrokes. All of that information is silently shared to the hacker’s C2 server.

Banking Trojans can be put in place in a number of ways. They are often installed onto websites where they are downloaded in drive-by attacks. Traffic is sent d to the malicious websites using malvertising campaigns or spam emails contacting hyperlinks. Legitimate websites are compromised using brute force methods, and kits installed on the sites that attack people who have failed to keep their software up to date. In a lot of, software is shared using spam email, hidden in attachments.

Spam email has previously been used to share the Ursnif banking Trojan, and the most recent campaign is no different in that regard. However, the latest campaign uses a new tactic to increase the chance of infection and spread infections more quickly and widely. Financial institutions have been the main target of this banking Trojan, but with this most recent attack method they are far more widespread.

Infection will see the user’s contact list scanned and spear phishing emails sent to each of the user’s contacts. Since the spear phishing emails come from a trusted email account, the chances of the emails being opened is significantly heightened. Simply opening the email will not lead to infection. For that to take place, the recipient must click on the email attachment. Again, since it has come from a trusted person, that is more probably.

The actors to blame for this latest Ursnif banking Trojan campaign have another trick to increase trust and ensure their payload is sent. The spear phishing emails contain message threads from past communications. The email looks like a response to a previous email, and include details of past communications.

A short line of text is included as a attempt to get the recipient to open the email attachment – a Word document including a malicious macro. That macro needs to be authorized to run – if macros have not been set to run automatically, but it will not until the Word document is shut. When the macro is enabled, it initiates PowerShell commands that download the Ursnif Trojan, which then starts logging activity on the infected device and sends further spear phishing emails to the new victim’s contacts.

This is not an original tactic, but it is new to Ursnif – and it is likely to see infections spread much more swiftly. Additionally, the malware incorporates a number of additional tactics to hamper detection, allowing information to be stolen and bank accounts emptied before infection is discovered – the Trojan even erases itself once it has run.

Malware is always changing, and new tactics are constantly created to increase the likelihood of infection. The most recent campaign shows just how important it is to block email threats before they reach end users’ inboxes.

If you use an advanced spam filter like SpamTitan, malicious emails can be blocked to prevent them from reaching end user’s inboxes, greatly reducing the danger posed by malware infections.

Patch Released to Fix Actively Targeted Microsoft .Net Framework Vulnerability

Microsoft has addressed 27 critical flaws this Patch Tuesday, including a Microsoft .Net Framework flaw that is being actively exploited to download Finspy surveillance software on devices running Windows 10.

Finspy is genuine software created by the UK-based Gamma Group, which is used by governments globally for cyber-surveillance. The software has been downloaded in at least two attacks in the past few months according to FireEye experts, the most recent attack leveraged the Microsoft .Net Framework flaw.

The attack begins with a spam email including a malicious RTF file. The document uses the CVE-2017-8759 vulnerability to create arbitrary code, which installs and executes a VB script including PowerShell commands, which in turn installs the malicious payload, which includes Finspy.

FireEye suggests at least one attack was completed by a nation-state against a Russian target; however, FireEye experts also believe other actors may also be using the vulnerability to conduct attacks.

According to a blog post last Tuesday, the Microsoft .Net Framework flaw has been detected and mitigated. Microsoft strongly recommends downloading the latest update promptly to minimize exposure. Microsoft says the flaw could permit a malicious actor to take full control of an impacted system.

Many Several Bluetooth flaws were discovered and shared on Tuesday by security company Aramis. The flaws impact billions of Bluetooth-enabled devices around the globe. The eight flaws, referred to as BlueBorne, could be used to carry out man-in-the-middle attacks on devices via Bluetooth, sending traffic to the attacker’s computer. The bugs exist in Windows, iOS, Android and Linux.

In order to target the flaws, Bluetooth would need to be turned for the targeted device, although it would not be necessary for the device to be in discoverable mode. A hacker could use the flaws to connect to a device – a TV or speaker for example – and start a connection to a computer without the user’s knowledge. In order to carry out the attack, it would be necessary to be in relatively close physically to the targeted device.

In addition to intercepting communications, a hacker could also take full management of a device and steal data, download ransomware or malware, or perform other malicious activities such as placing the device on a botnet. Microsoft addressed one of the Bluetooth driver spoofing bugs – CVE-2017-8628 – in the latest round of updates.

One of the most pressing updates is for a remote code execution vulnerability in NetBIOS (CVE-2017-0161). The vulnerability impacts both servers and work devices. While the vulnerability is not thought to be currently exploited in the wild, it is of note as it can be exploited just by sending specially crafted NetBT Session Service packets.

The Zero Day Initiative (ZDI) said the flaw “is practically wormable within a Local Area Network. This could also target many virtual clients if the guest OSes all connect to the same (virtual) LAN.”

Overall, 81 updates have been published by Microsoft this Patch Tuesday. Adobe has addressed eight flaws, including two critical memory corruption bugs (CVE-2017-11281, CVE-2017-11282) in Flash Player, a critical XML parsing flaw in ColdFusion (CVE-2017-11286) and two ColdFusion remote code execution flaws (CVE-2017-11283, CVE-2017-11284) relating to deserialization of untrusted data.

Greater Email Security Required According to Healthcare Industry Phishing Report

In the United States, healthcare industry phishing campaigns have been to blame for exposing the protected health records of well in excess of 90 million Americans over the course of the past year. That’s more than 28% of the population of the United States.

This week, another case of healthcare sector phishing has come to light following the announcement of Connecticut’s Middlesex Hospital data breach. The hospital saw that four of its employees responded to a phishing email, resulting in their email account login details being sent to a hacker’s command and control center. In this case the damage inflicted by the phishing attack was limited, and only 946 patients had their data exposed. Other healthcare groups have not been nearly so fortunate.

Industry Latest News

Our industry news section includes a wide range of news items of particular relevance to the cybersecurity sector and managed service providers (MSPs).

This section also sources details of the most recent white papers and research studies relating to malware, ransomware, phishing and data breaches. These articles allow some insight into the general state of cybersecurity, the industries currently most heavily aimed for by cybercriminals, and figures and statistics for your own reports.

Cybercriminals use massive spam campaigns designed to infect as many computers as they can. These attacks are random, using email addresses stolen in large data breaches such as the cyberattacks on LinkedIn, MySpace, Twitter and Yahoo. However, highly targeted attacks are on the up, with campaigns geared to specific sectors. These industry-specific cyberattacks and spam and malware campaigns are covered in this section, along with possible mitigations for reducing the danger of a successful attack.

This category is therefore important for organizations in the education, healthcare, and financial services sectors – the most common attacked industries according to the latest security reports.

The articles cover current campaigns, spam email identifiers and details of the social engineering tactics used to trick end users and gain access to corporate networks. By using the advice in these articles, it may be possible to stop similar attacks.

Network Security

This network security news section contains a variety of articles about safeguarding networks and blocking cyberattacks, ransomware and malware installations. This section also includes articles on recent network security breaches, alerting outfits to the latest attack trends being used by hackers.

Layered cybersecurity defenses are vital due to the increase in hacking incidents and the explosion in ransomware and malware variants over the past 24 months. Outfits can address the threat by investing in new security defenses such as next generation firewalls, end point defense systems, web filtering solutions and advanced anti-malware and antivirus defenses.

While much investment goes on proven solutions that have been highly resilient in the past, many cybersecurity solutions – antivirus software – are not as effective as they were previously. In order to keep pace with hackers and cybercriminals and get ahead of the curve, organizations should consider using a wide variety of new cybersecurity solutions to block network intrusions, stop data breaches and improve protection against the most recent malware and ransomware threats.

This category includes information and guidance on different network security solutions that can be adopted to enhance e network security and ensure networks are not focused on by hackers and infected with malicious software.

Dangerous Spora Ransomware Ransomware Threat Discovered

A new and very dangerous ransomware threat to deal called Spore has been discovered.

Locky and Samas ransomware have certainly been major headaches for IT departments. Both forms of ransomware have a host of smart features designed to prevent detection, grow infections, and inflict the most damage possible, leaving companies with little option but pay the ransom demand.

However, there is now a new ransomware threat to address, and it could well be even bigger than Locky and Samas. Luckily, the ransomware authors only seem to be targeting Russian users, but that is likely to change. While a Russian version has been used in hacking attacks so far, an English language version has now been created. Spora ransomware attacks will soon be a global issue.

A massive portion of time and effort has gone into producing this very dangerous new ransomware variant and a decryptor is unlikely to be created due to the way that the ransomware encrypts data.

As opposed to many new ransomware attacks that rely on a Command and Control server to receive instructions, Spora ransomware can encrypt files even if the user is offline. Closing down Internet access will not stop an infection. It is also not possible to restrict access to the C&C server to prevent infection.

Earlier Ransomware variants have been created that can encrypt without C&C communication, although unique decryption keys are not necessary. That means one key will unlock all infections. Spora ransomware on the other hand needs all victims to use a unique key to unlock the encryption.  A hard-coded RSA public key is used to create a unique AES key for every user. That process happens locally. The AES key is then used to encrypt the private key from a public/private RSA key pair set up with each victim, without C&C communications. The RSA key also encrypts the separate AES keys for each user. Without the key supplied by the hackers, you cannot unlock the encryption.

This complex encryption process only represents part of what makes Spora ransomware unique. Different to many other ransomware variants, the hackers have not set the ransom amount. This gives the hackers a degree of flexibility and importantly this process occurs automatically. Security experts believe the degree of automation will see the ransomware provided on an affiliate model.

The flexibility allows companies to be charged a different amount to a person. The ransom set is calculated based on the extent of the infection and types of files that have been encrypted. Since Spora ransomware gathers data on the user, when contact is made to pay the ransom, amounts could easily be changed.

When victims visit the hacker’s payment portal to pay the ransom, they must supply the key file that is set up by the ransomware. The key files contains a range of data on the user, including details of the campaign used. The hackers can therefore carefully monitor infections and campaigns. Those campaigns that are successful and result in more payments can then be repeated. Less effective campaigns can be brought to an end.

At present there are a number of different payment options, including something quite different. Victims can pay to unlock the encryption, or pay extra to avoid future attacks, essentially being given immunity.

Emisoft Internet experts who have analyzed Spora ransomware say it is far from a run of the mill variant that has been quickly thrown together. It is the work of a highly knowledgeable group. The encryption process contains no weaknesses – uncommon for a new ransomware variant – the design of the HTML ransom demand and the payment portal is highly sophisticated, and the payment portal also contains a chat option to allow communication with the hackers. This degree of professionalism only comes from a lot of investment and massive work. This threat is unlikely to disappear soon. In fact, it could prove to be one of the most serious threats in 2017 and into the future.

Infection currently takes place through spam email containing malicious attachments or links. Currently the attachments look like PDF invoices, although they are HTA files including JavaScript code. Preventing emails from being sent is the best form of defense. Since no decryptor is available for Spora, a backup will be necessary to recover for the infection or the ransom will need to be met.