Hackers are testing out this updated banking malware with added stealthy attacks

An updated Trojan can trick users into entering their credentials into fake bank websites.
Written by Danny Palmer, Senior Writer

A new version of the Ursnif banking Trojan is being tested out in the wild with code modifications and new attack techniques that attempt to make it even more effective.

Part of the same malware family as Gozi, the new version of Ursnif comes with redirection attacks which use fake versions of banking websites to steal login information and financial data from victims.

Researchers at IBM X-Force said that some of the most significant changes in the third incarnation of Ursnif are in its code-injecting mechanism; it's been altered to such an extent that this version of the malware has likely been built by different developers to the second version.

The new version of Ursnif was first spotted in August in what researchers have identified as the start of a testing period in which those behind the malware have been careful to keep the malware hidden, to such an extent that the resources behind it were taken offline after each trial. It's thought that Ursnif version three is still in its trial period, because version two is still active in the wild.

It appears that those behind Ursnif are following in the footsteps of other banking Trojans such as Dridex and Trickbot by adding redirection attacks to the attack formula. Researchers note that the redirection scheme is implemented through the configuration file and not embedded into the code itself.


The new version of the Ursnif trojan comes with new attack techniques.

Image: iStock

When active, the Ursnif attack appears to the victim as if it is connecting to their real bank website, all the while handing their credentials to the cybercriminals behind the scheme.

"The malware maintains a live connection with the bank's legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim's address bar," said Limor Kessem, executive security advisor at IBM.

See also: What is phishing? Everything you need to know to protect yourself from scam emails and more

"At that point, the malicious actors can use web injections to steal login credentials, authentication codes and other personally identifiable information (PII) without tripping the bank's fraud detection mechanisms," she added.

The trials of the third version of Ursnif have seen those behind the Trojan using its redirection attacks against business and corporate banking customers in Australia.

Meanwhile, researchers at FireEye have also observed a separate new technique being employed by Ursnif in the form of deploying malicious TLS (thread local storage) callbacks.

TLS callbacks are a standard part of the Windows operating system, and are designed to provide additional support for initialisation and termination for per-thread data structures. However, the new version of Ursnif is manipulating TLS callbacks as an anti-analysis trick.

Like many malicious campaigns, Ursnif is delivered to victims through phishing emails. In this instance, researchers found the malware was being distributed in messages claiming to be a confirmation of an order, and asking targets to open and sign a review document. If the review document is clicked on, it'll start the process of malware infection.

Researchers say the Ursnif's new techniques demonstrate how cybercriminals are continually redeveloping malware in order to make it more effective.

Recent and related coverage

Hacking back is a terrible idea, but companies are still keen to try it

It's tempting to take revenge on hackers, but the downsides far outweigh any benefits.

You can still buy hard drives full of other people's data, but SSDs are less risky

Kroll Ontrack bought hard drives and SSDs on eBay and found almost half still had business and personal data on them.

Shipping firm warns that hackers may leak confidential information

Global shipbroker says it fell victim to a 'cybersecurity incident' and is contacting those who might have had their information stolen by attackers.


Editorial standards