Hackers are testing out this updated banking malware with added stealthy attacks

The new version of the Ursnif trojan comes with new attack techniques.
Image: iStock
Security-Frontline-安全前线
A new version of the Ursnif banking trojan is being tested out in the wild with modifications to the code and new attack techniques in an attempt to make the malware even more effective.

最近,大批公司大量的业务信息和客户记录泄露。数据安全问题应该引起公司高层的足够重视。
Part of the same malware family as Gozi, the new version of Ursnif comes with redirection attacks which use fake versions of banking websites in order to steal login information and financial data from victims.
Researchers at IBM X-Force note that some of the most significant changes in this third incarnation of Ursnif are in the code injecting mechanism, to such an extent that it’s likely that this version of the malware has been built by different developers to that of the second version.
It’s likely that Ursnif version three is still in its trial period because version two is still active in the wild.
The new version of Ursnif was first spotted in August in what researchers have identified as the start of a testing period in which those behind the malware have been careful to keep the malware hidden, to such an extent that the resources behind it were taken offline after each trial.
In this case, the trials have seen those behind Ursnif using the redirection attacks against business and corporate banking customers in Australia.
It appears that those behind Ursnif are following in the footsteps of other banking trojans such as Dridex and Trickbot by adding redirection attacks to the attack formula. Researchers note that the redirection scheme is implemented through the configuration file and not embedded into the code itself.
See also: What is phishing? Everything you need to know to protect yourself from scam emails and more
When active, the Ursnif attack looks as if it is connecting to the real bank website for the victim, all the while handing their credentials to the cyber criminasl behind the scheme.
“The malware maintains a live connection with the bank’s legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim’s address bar,” said Limor Kessem, Executive Security Advisor at IBM.
“At that point, the malicious actors can use web injections to steal login credentials, authentication codes and other personally identifiable information (PII) without tripping the bank’s fraud detection mechanisms,” she added.
Meanwhile, researchers at FireEye have also observed a seperate new technique being employed by Ursniff in the form of deploying malicious TLS (Thread local storage) callbacks.
TLS callbacks are a standard part of the Windows operating system designed to to provide additional support for initialization and termination for per-thread data structures. However, the new version of Ursnif is manipulating TLS callbacks as an anti-analysis trick.
Like many malicious campaigns, Ursnif is delivered to victims via malicious phishing emails. In this instance, researchers uncovered the malware being distributed in messages claiming to be confirmation of a supply order asking targets to open and sign a review document. If the review document is clicked on, it’ll start the process of malware infection.
Researchers say the Ursnif’s new techniques demonstrate how cyber criminals are continually re-developing malware in order to make it more effective.
READ MORE ON CYBER CRIMEGozi banking malware mastermind ordered to pay $7 million in damagesNew trojan malware campaign sends users to fake banking site that looks just like the real thingThis malware will steal your Twitter and Facebook accounts [CNET] Hackers are making their malware more powerful by copying WannaCry and Petya ransomware tricks New ‘Marcher’ malware attacks Android users’ banking accounts [TechRepublic]
Related Topics:
Security TV
Data Management
微博客户端多种多样,特别是移动客户端的普及,微博服务也越来越重视内容通讯的安全,要从网关层面完全控制员工的微博行为困难重重,所以加强技术控管时,一定要加强员工对微博的安全使用的教育。

猜您喜欢

信息安全第一课——丢弃毁坏的U盘
网络战争取胜关键在于普通网民
Cyber Security Law 网络安全法宣传视频《网络安全法》背景知识
印媒:印度“拿下”新加坡军事基地 影响力延至南海
DUTCH-TECH HESTUBER
安全意识学习互动游戏