Ursnif Trojan Adopts New Code Injection Technique

Hackers are testing a new variation of the Ursnif Trojan aimed at Australian bank customers that utilizes novel code injection techniques.

Since the summer of 2017, IBM X-Force researchers report that Ursnif (or Gozi) samples have been tested in wild by a new malware developer. The samples are a noteworthy upgrade from previous versions.
Related Posts
“This finding is significant because it suggests that a new group has joined the cybercrime arena and is specifically operating in Australia, where malware gangs such as TrickBot and Dridex already have a firm foothold,” wrote Limor Kessem, executive security adviser with IBM Security in a technical analysis of the Ursnif Trojan sample.
Most notable to this variant are modifications to the code injection techniques and attack strategies, Kessem said.
“In a redirection attack, the victim is diverted to a fake website hosted on an attacker-controlled server. The malware maintains a live connection with the bank’s legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim’s address bar. At that point, the malicious actors can use web injections to steal login credentials, authentication codes and other personally identifiable information without tripping the bank’s fraud detection mechanisms,” she wrote.
Separately, researchers at FireEye noted, in research posted last week, they also have been tracking the same new Ursnif variant.
FireEye also noted the variant’s novel use of a malicious Transport Layer Security (TLS) callback techniques to achieve process injection.
学习管理系统LMS 学员操作演示
“We recently came across a Ursnif/Gozi-ISFB sample that manipulated TLS callbacks while injecting to child process. Though many of the malware binaries (or their packers) use some variation of GetThreadContext/SetThreadContext or CreateRemoteThread Windows API functions to change the entry point of the remote process during injection, this sample (and the related cluster) is using a relatively lesser-known stealth technique,” wrote Abhay Vaish and Sandor Nemes with FireEye’s Threat Research team.
For years, Ursnif has targeted Japan along with North America, Europe and Australia. Ursnif is a widespread threat that was discovered in 2007. Original targets were online banking wire systems in English-speaking countries. That changed in 2010, when source code for the Trojan was accidentally leaked. That lead to the development of Ursnif v2 that adopted web-injection techniques and also leverages a hidden virtual network computing feature.
In its recent campaigns targeting Australian bank customers, Ursnif has been using malspam to reach its victims. That has included emails with fake supply orders that lure recipients to follow links to electrically sign and review documents.
“After clicking on the “REVIEW DOCUMENT” button, the malware downloads a ZIP file named YourMYOBSupply_Order.zip,” FireEye describes. “The ZIP file contains a malicious JavaScript file that, when executed, will download and execute the Ursnif/Gozi-ISFB payload.”
Both FireEye and X-Force said that this latest sample indicates a more sophisticated malware author has improved the v3 Ursnif code to be stealthier and evade malware signature detection.
Between 2016 through 2017, X-Force said Ursnif (or Gozi) has been a top player when it comes to code evolution and attack volumes.
基于云的密码管理产品很能方便用户,不用记忆众多系统的密码,并且安全同步存储在网上,还可以在不同设备上共享,关键的问题在于访问这个密码管理系统的权限被攻击者击溃则会造成受害者全盘皆输。
In October, attackers behind Ursnif made Japan one of their top targets. In those campaigns, authors behind Ursnif didn’t just target banks, but also credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites.
天下没有免费的午餐,一个新的弹出窗口可能会免费向您提供计算机的安全扫描,以发现病毒感染情况和未处理的漏洞。不要吃掉这诱饵!如果您允许这种类型的扫描,您可能会让不怀好意的家伙们访问您的个人信息。

猜您喜欢

天津网络安全警示教育展暨网络安全宣传周启动
员工的安全意识是商业成功的竞争力
网络安全法培训短片
2018假期出炉 2018假期放假拼假攻略大汇总
SIR COMPASSIONATEACUPUNCTURE
信息安全培训评测