Ursnif Trojan Adopts New Code Injection Technique

Researchers have found a variant of Ursnif Trojan they said is a “v3 build” that targets Australian bank customers with new redirection attack techniques.

Hackers are testing a new variation of the Ursnif Trojan aimed at Australian bank customers that utilizes novel code injection techniques.

Since the summer of 2017, IBM X-Force researchers report that Ursnif (or Gozi) samples have been tested in wild by a new malware developer. The samples are a noteworthy upgrade from previous versions.

“This finding is significant because it suggests that a new group has joined the cybercrime arena and is specifically operating in Australia, where malware gangs such as TrickBot and Dridex already have a firm foothold,” wrote Limor Kessem, executive security adviser with IBM Security in a technical analysis of the Ursnif Trojan sample.

Most notable to this variant are modifications to the code injection techniques and attack strategies, Kessem said.

“In a redirection attack, the victim is diverted to a fake website hosted on an attacker-controlled server. The malware maintains a live connection with the bank’s legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim’s address bar. At that point, the malicious actors can use web injections to steal login credentials, authentication codes and other personally identifiable information without tripping the bank’s fraud detection mechanisms,” she wrote.

Separately, researchers at FireEye noted, in research posted last week, they also have been tracking the same new Ursnif variant.

FireEye also noted the variant’s novel use of a malicious Thread Local Storage (TLS) callback techniques to achieve process injection.

“We recently came across a Ursnif/Gozi-ISFB sample that manipulated TLS callbacks while injecting to child process. Though many of the malware binaries (or their packers) use some variation of GetThreadContext/SetThreadContext or CreateRemoteThread Windows API functions to change the entry point of the remote process during injection, this sample (and the related cluster) is using a relatively lesser-known stealth technique,” wrote Abhay Vaish and Sandor Nemes with FireEye’s Threat Research team.

For years, Ursnif has targeted Japan along with North America, Europe and Australia. Ursnif is a widespread threat that was discovered in 2007. Original targets were online banking wire systems in English-speaking countries. That changed in 2010, when source code for the Trojan was accidentally leaked. That lead to the development of Ursnif v2 that adopted web-injection techniques and also leverages a hidden virtual network computing feature.

In its recent campaigns targeting Australian bank customers, Ursnif has been using malspam to reach its victims. That has included emails with fake supply orders that lure recipients to follow links to electrically sign and review documents.

“After clicking on the “REVIEW DOCUMENT” button, the malware downloads a ZIP file named YourMYOBSupply_Order.zip,” FireEye describes. “The ZIP file contains a malicious JavaScript file that, when executed, will download and execute the Ursnif/Gozi-ISFB payload.”

Both FireEye and X-Force said that this latest sample indicates a more sophisticated malware author has improved the v3 Ursnif code to be stealthier and evade malware signature detection.

Between 2016 through 2017, X-Force said Ursnif (or Gozi) has been a top player when it comes to code evolution and attack volumes.

In October, attackers behind Ursnif made Japan one of their top targets. In those campaigns, authors behind Ursnif didn’t just target banks, but also credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites.

Suggested articles