Ursnif, also known as Dreambot or Gozi trojan, has upped its ante in the cyber threat landscape. The powerful trojan has been spotted in various attack campaigns. The malware authors are continuously working on enhancing the capabilities of the malware in order to make it work beyond just stealing victims’ banking credentials.
Discovery - Ursnif is a banking trojan that was discovered in 2007. The malware was primarily designed to steal banking information from compromised Windows computers in English speaking countries.
Propagation - The malware variant can spread to connected networks and removable drives by injecting code into one of the following processes such as chrome.exe, explorer.exe, firefox.exe, iexplorer.exe, opera.exe, safari.exe and services.exe.
Once the code is injected, it searches for specific file types - such as .exe, .pdf and .msi - to carry forward the infection process. The malware is can also copy itself on the removable drive with the file name temp.exe.
Lately, the malware authors are distributing the trojan via email. To make the emails appear legitimate, they use the sender and recipient addresses harvested from previously compromised Ursnif victims.
Capabilities - A successful attack by Ursnif trojan can enable attackers to gain complete remote access to the affected systems. The trojan is capable of conducting other nefarious activities such as capturing screenshots, stealing & clearing cookies, stealing certificates, rebooting machines, stealing a log file that contains user information, terminating process and downloading other malicious payloads.
Among its other capabilities, the trojan also collects the user’s PC information such as installed drivers, programs and a list running services. The trojan attempts to steal passwords and credentials that are stored using protected storage. It also attempts to collect credentials for cloud storage, webmail and cryptocurrency exchanges. To do this, it takes screenshots, logs keystrokes and exfiltrates certificates.
Variants - Several variants of Gozi trojan have been observed over the years.
In February 2019, a new wave of Ursnif attack was observed against Italian companies. For the attack, the cybercriminals used both steganography and AtomBombing tactics to distribute the malware.
Given the extensive capabilities of the Ursnif trojan, it is believed that attackers will continue to evolve the malware and use it for more sophisticated attacks.