A Trojan named Ursnif is a new version that is being tested with modified codes, this is to make it more effective when it comes to attack the banking domain and software.
A recent report in Zdnet by Danny Palmer reads that it is part of the same malware family as Gozi, the new version of Ursnif comes with redirection attacks which use fake versions of banking websites to steal login information and financial data from victims.
Researchers at IBM X-Force said that some of the most significant changes in the third incarnation of Ursnif are in its code-injecting mechanism; it’s been altered to such an extent that this version of the malware has likely been built by different developers to the second version. Ursnif was first first spotted in August in what researchers have identified as the start of a testing period in which those behind the malware have been careful to keep the malware hidden, to such an extent that the resources behind it were taken offline after each trial. It’s thought that Ursnif version three is still in its trial period, because version two is still active.
It is believed that those behind Ursnif are following in the footsteps of Trojans like Dridex and Trickbot by adding redirection attacks to the attack formula. Researchers note that the redirection scheme is implemented through the configuration file and not embedded into the code itself.
Limor Kessem, executive security advisor at IBM said “The malware maintains a live connection with the bank’s legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim’s address bar. She added “At that point, the malicious actors can use web injections to steal login credentials, authentication codes and other personally identifiable information (PII) without tripping the bank’s fraud detection mechanisms.”
Researchers say “Like many malicious campaigns, Ursnif is delivered to victims through phishing emails. In this instance, researchers found the malware was being distributed in messages claiming to be a confirmation of an order, and asking targets to open and sign a review document. If the review document is clicked on, it’ll start the process of malware infection.”
The new techniques demonstrate how cybercriminals are continually redeveloping malware in order to make it more effective.