New version of trojan malware can trick users into entering their credentials into a fake version of a bank’s website.
The new version of the Ursnif trojan comes with new attack techniques. Image: iStock
A new version of the Ursnif banking Trojan is being tested out in the wild with modifications to the code and new attack techniques in an attempt to make the malware even more effective.
Part of the same malware family as Gozi, the new version of Ursnif comes with redirection attacks which use fake versions of banking websites in order to steal login information and financial data from victims.
Researchers at IBM X-Force note that some of the most significant changes in this third incarnation of Ursnif are in the code injecting mechanism, to such an extent that it’s likely that this version of the malware has been built by different developers to that of the second version.
It’s likely that Ursnif version three is still in its trial period because version two is still active in the wild.
The new version of Ursnif was first spotted in August in what researchers have identified as the start of a testing period in which those behind the malware have been careful to keep the malware hidden, to such an extent that the resources behind it were taken offline after each trial.
In this case, the trials have seen those behind Ursnif using the redirection attacks against business and corporate banking customers in Australia.
It appears that those behind Ursnif are following in the footsteps of other banking trojans such as Dridex and Trickbot by adding redirection attacks to the attack formula. Researchers note that the redirection scheme is implemented through the configuration file and not embedded into the code itself.
When active, the Ursnif attack looks as if it is connecting to the real bank website for the victim, all the while handing their credentials to the cyber criminasl behind the scheme.
“The malware maintains a live connection with the bank’s legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim’s address bar,” said Limor Kessem, Executive Security Advisor at IBM.
“At that point, the malicious actors can use web injections to steal login credentials, authentication codes and other personally identifiable information (PII) without tripping the bank’s fraud detection mechanisms,” she added.
Meanwhile, researchers at FireEye have also observed a seperate new technique being employed by Ursniff in the form of deploying malicious TLS (Thread local storage) callbacks.
TLS callbacks are a standard part of the Windows operating system designed to to provide additional support for initialization and termination for per-thread data structures. However, the new version of Ursnif is manipulating TLS callbacks as an anti-analysis trick.
Like many malicious campaigns, Ursnif is delivered to victims via malicious phishing emails. In this instance, researchers uncovered the malware being distributed in messages claiming to be confirmation of a supply order asking targets to open and sign a review document. If the review document is clicked on, it’ll start the process of malware infection.
Researchers say the Ursnif’s new techniques demonstrate how cyber criminals are continually re-developing malware in order to make it more effective.