A new variant of an infamous banking Trojan malware with a history going back over ten years has emerged with new tactics to ensure it's harder to detect.The malware aims to hunt out financial information, usernames, passwords and other sensitive data.
The Ursnif banking Trojan is one of the most popular forms of information-stealing malware targeting Windows PCs and it has existed in one form or another since at least 2007, when the its code first emerged in the Gozi banking Trojan.
It has become highly popular in recent years after the source code was leaked to GitHub, allowing cyber criminals across the world to take it and add new features to the malware.
Now researchers at security company Cybereason have uncovered a new, previously undocumented version of Ursnif which applies different, stealthier infection tactics than other campaigns.
This includes what researchers refer to as "last minute persistence" - a means of installing the malicious payload which tries to ensure a lower chance of being uncovered.
"The "last minute persistence" is a very clever and stealthy mechanism, where the malware will write its persistence key and files just before the system shuts down, so it's not present on the disk for more than few seconds while the machine is turned on," said Assaf Dahan, senior director of threat hunting at Cybereason.
Only when the user logs on again is Ursnif run and injected, before the registry keys and malware installation files are deleted, with the aim of giving security software little chance of discovering it.
Those behind this Ursnif campaign also deploy a multi-stage dropping process to ensure the lowest chance of detection and the greatest rate of success.
The attack begins with what researchers describe as researchers describe as generic but quite effective phishing emails which ask the victim to open an attachment – in most cases it's a fake invoice, which asks users to enable macros.
If this request is follows, it enables execution of a PowerShell command which downloads an image hosted on a file-sharing site – stenography is employed to hide a payload within the image, which once decrypted, begins the next stage of the process.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
This payload is Bebloh, a banking trojan in its own right, but this campaign uses as a dropper for Ursnif. Researchers believe that the first banking trojan is deployed in an effort to ensure the target isn't in fact a sandbox on a virtual machine, so as to avoid Ursnif being deployed into an environment where it can be analysed.
Following another series of tests to double check it isn't running inside what it perceives as a hostile environment, the new Ursnif payload is run on the infected machine.
In addition to the new persistence mechanism, this version of Ursnif comes with new stealer functions allowing the attacker to make off with more than just bank details and passwords – it can also steal data from some emails and browsers, potentially providing a goldmine of sensitive information.
Microsoft Outlook, Internet Explorer and Mozilla Thunderbird appear to be particularly targeted as attackers look for additional supplies of stolen data. This version of Ursnif also comes with the ability to steal from bitcoin and other cryptocurrency wallets
"In recent years, we see that banking trojans are engaging more and more in information stealing, and not only after financial data. This could be tied to the shift in users' behaviour who favour mobile online banking as well as the efficiency of security products protecting end users as well as banks from online theft and fraud," says Dahan.
This particular Ursnif campaign appears to be focused on Japan and Japanese banks to the extent that if the malware detects that the computer isn't located within Japan, it will terminate itself to avoid detection in other countries.
Researchers haven't been able to identify the operation behind the latest Ursnif campaign, Dahan told ZDNet there's evidences to suggest it's related to the Cutwail Botnet, a cyber criminal operation which has been active since 2007 – the same year in which the code behind Ursnif first emerged.
Cybereason have provided the Indicators of Compromise and advice for on avoiding infection in their analysis of Ursnif.
READ MORE ON CYBER CRIME