Researchers at IBM have detected a new variant of the Ursnif Trojan whose developers have been testing a new feature in active attacks. This piece of malware is based on the code of the original Ursnif or Gozi ISFB, but it features some changes involving the code injection and attack tactics.
The internal build number of the Trojan has also been updated to fit this new version and is currently set to Ursnif v3. However, it should be noted that the previous build, Ursnif v2, is also active in the wild.
While changes were most significant in the code injection mechanism, hackers also developed redirection attacks to target business and corporate banking customers in Australia, researchers said. The redirection scheme is implemented through the configuration file and not embedded into the code itself, IBM noted.
These changes may serve as an indicator that a new cybercrime group has taken over the Ursnif operation, especially based on the fact that Australia has been the sole target of the latest activities. A fact worth mentioning is that the newly added capability to perform redirection chain attacks is also typical for Dridex, GootKit and TrickBot operations.
Ursnif v3 redirection attacks explained
These redirection attacks deployed by the current malware operations are targeting a special list of victims – small banks and credit unions in Australia. A few other, bank-specific configurations were also added to target business and corporate banking customers, researchers noted.
In a redirection attack, the victim is diverted to a fake website hosted on an attacker-controlled server. The malware maintains a live connection with the bank’s legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim’s address bar. At that point, the malicious actors can use webinjections to steal login credentials, authentication codes and other personally identifiable information (PII) without tripping the bank’s fraud detection mechanisms.
The overall feeling that this campaign provokes is that hackers are trying to fly under the radar, keeping distribution strictly targeted. The reason for this is quite obvious – focused infections are more profitable and attract less unwanted attention.
Also, hackers are most likely relying on account and device takeover schemes based on Ursnif v2’s custom hidden virtual network computing module.
The Ursnif Trojan has been around for a long time – at least a decade which makes it one of the longest-standing banking Trojans ever created. The malware was first uncovered in 2007, and it has been changing ever since. Ursnif’s code was in fact leaked in 2010 which led to its reuse in Gozi-branded campaigns. Later, the source code was re-used once again in Nerverquest and GozNym banking Trojans.
Researchers also highlight the fact that “for the entire year of 2016 through 2017, Ursnif v2 has been one of the top players in the financial cybercrime arena, both in terms of its code evolution and attack volumes”.
How to stay protected against banking Trojans such as Ursnif v3
Even though Ursnif v3 is currently targeting specific banks, it’s a well-known fact that cybercrime gangs are quick in shifting their methods and targets. All online users should take into consideration that banking Trojans are always on the loose, especially around the winter holidays when online user activities (shopping inclusive) go up the scale.
Consider implementing the tips below to improve your daily online hygiene and to reduce the risk of becoming a victim on malware.
- Make sure to use additional firewall protection. Downloading a second firewall is an excellent solution for any potential intrusions.
- Make sure that your programs have less administrative power over what they read and write on your computer. Make them prompt you admin access before starting.
- Use stronger passwords. Stronger passwords (preferably ones that are not words) are harder to crack by several methods, including brute forcing since it includes pass lists with relevant words.
- Turn off AutoPlay. This protects your computer from malicious executable files on USB sticks or other external memory carriers that are immediately inserted into it.
- Disable File Sharing – recommended if you need file sharing between your computer to password protect it to restrict the threat only to yourself if infected.
- Switch off any remote services – this can be devastating for business networks since it can cause a lot of damage on a massive scale.
- If you see a service or a process that is external and not Windows critical and is being exploited by hackers (Like Flash Player) disable it until there is an update that fixes the exploit.
- Make sure to update and timely aolly the critical security patches for your software and OS.
- Configure your mail server to block out and delete suspicious file attachments within emails.
- If you have a compromised computer in your network, make sure to isolate immediately it by powering it off and disconnecting it by hand from the network.
- Turn off Infrared ports or Bluetooth – hackers love to use them to exploit devices. In case you use Bluetooth, make sure that you monitor all of the unauthorized devices that prompt you to pair with them and decline and investigate any suspicious ones.
- Employ a powerful anti-malware solution to protect yourself from any future threats automatically.
SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter