Security analysts have managed to identify a new phishing campaign which is used to spread Ursnif Banking Trojan in order to target various computer users all around the world. Cyber offenders adopted a deceptive technique for the distribution of banking Trojan via spam email campaign which contains a malicious document and mislead the web surfers to download an executable file of Ursnif Trojan. Although, there are two main factors identified by the security researchers that are used for the malware’s distribution. In this distribution channel, spam botnet is used to send malicious emails, and the hacked web servers to host the Trojan. According to the security experts, the spam botnet is focused on distributing the Ursnif Banking Trojan to affect the computers in Japan, Germany, Australia, Spain and Poland.
On the other hand, researchers have reported a new version of Ursnif Banking Trojan which has suffered a slight modification on its source code and now it uses the servers hosted on Tor anonymous network in order to hide its C&C (Command and Control) infrastructure. Ursnif is also known as Gozi IFSB, which is an offshoot of an original Gozi banking Trojan virus that got its source code leaked online in year 2014. After that, many other nasty banking Trojan threats were built, such as GozNym. Throughout the year 2016, large number of spam emails, among the majority of them written in Japanese language, were sent to the computer users in Japan, with the Shiotob which is also known as a URLZone or Bebloh, being most widely distributed virus identified in 7 million spam mails.
Ursnif Banking Trojan Used For Downloading Secondary Payload
In the second half of the year 2016, the malware capable of stealing users’ banking information was used only for downloading the secondary payload. The researcher says, “Millions of spam mails attacking the Japanese recipients and some of the affected users could be running dangerous banking Trojan and a spam bot simultaneously. Though, it is quite difficult to figure out the exact number of the users infected by Ursnif Banking Trojan via spam email campaign, however, the number is significantly increasing in Japan based IP addresses.” While most of the payloads distributed through spam emails were either malicious banking Trojans or downloaders that the hackers were adapting to the specific country.
As a result, Ursnif and Shiotob were delivered in Japan and Australia; Tinba and Ursnif in Spain and Poland; Ursnif and KINS in Germany and Italy. Hackers were found to spread the malware by copying the harmful files onto multiple servers. Between April 2015 to January 2017, the security analysts have found more than 200 malicious files on 74 servers used by the racketeers. Most of the compromised web servers were small-to-medium-sized or personal business sites in Europe, that have not been maintained for several years. Besides, a breakdown of Ursnif Banking Trojan malware have found on these noxious web servers and revealed that it represented around half of its samples. Moreover, Andromeda, Zeus, Pushdo, KINS, Shiotob, and Rovnix were also among the reported malware families.