Researchers have discovered a new variant of the Ursnif (aka Gozi) banking trojan that is actively targeting online banking users in Italy. The operators of this campaign are using Cerberus malware to sharpen the attack penetration.
What was discovered?
Ursnif is being delivered to Italian victims via malicious email attachments, typically posing as some business correspondence such as an invoice or some delivery notification.
The infection chain usually comprises poisoned macros embedded inside productivity files commonly used in organizations. In some cases, attackers were observed specifically targeting Italian-based IP addresses.
Once infected with the malware, users are tricked into downloading the Cerberus Android malware in the guise of a security app.
Cerberus allows the attackers to receive two-factor authentication codes sent by the banks, which can be leveraged for further fraudulent activities.
In addition, it can allow attackers to obtain lock-screen codes and even take control of the infected device remotely.
The combination of Ursnif and Cerberus is basically used to take control of the victim’s smartphone, and get past the security barriers to target the financial apps installed on the phone.
After getting infected with Ursnif, the victims are told via a web injection that they are required to install a security app. A QR code is displayed, which victims are required to scan to download the app.
The QR code leads to a fake Google Play page that displays the logo and branding of the bank that the victim attempted to access. The domains hosting the page are typo-squatted domains that appear legitimate to normal eyes.
In case the QR code option is not feasible for victims, they are asked to provide a phone number on which they would receive an SMS with a link to download the fake app.
When Cerberus is installed, it is used as a component that helps bypass the two-factor authentication via SMS and make fraudulent transactions.
Although this Ursnif-Cerberus combo is probably observed for the first time, however, this combination is not entirely surprising. The idea is that the combination of banking malware and authentication bypass malware can cause a huge dent in the pockets of users. Therefore, users are recommended to avoid clicking on suspicious URLs received via text messages or emails.