A fresh version of the Ursnif banking trojan is being tested in the wild, using newly incorporated redirection attacks.
IBM X-Force research detected the variation—the third major overhaul for the Gozi-based malware since its launch a decade ago—starting with very minor testing over the summer; now, larger yet still limited campaigns have started. What’s notable is that its authors have made modifications on the code-injection level and to attack tactics.
As to the latter, the malware’s operators have opted to begin using redirection attacks to target business and corporate banking customers in Australia. Target lists from November showed that the malware’s operators dedicated a general configuration to small banks and credit unions in Australia and added a few other, bank-specific configurations dedicated to launching redirection attacks against business and corporate banking customers.
“In a redirection attack, the victim is diverted to a fake website hosted on an attacker-controlled server. The malware maintains a live connection with the bank’s legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim’s address bar,” X-Force researchers explained, in an analysis. “At that point, the malicious actors can use webinjections to steal login credentials, authentication codes and other personally identifiable information (PII) without tripping the bank’s fraud detection mechanisms.”
The redirection tactic is interesting given that Gozi, a close relative of Ursnif that has recently been spotted attacking Japanese businesses for the first time, also now targets business and corporate banking users with redirection attacks, a sophisticated tactic currently used by cybergangs such as Dridex, GootKit and TrickBot.
“This finding is significant because it suggests that a new group has joined the cybercrime arena and is specifically operating in Australia, where malware gangs such as TrickBot and Dridex already have a firm foothold,” X-Force researchers noted. “Generally speaking, the lion’s share of the malware’s DNA was adopted from the leaked Gozi ISFB code….[however], the v3 developer added some original ideas as well….this recent iteration of Ursnif, although using an existing code base, should be considered a separate development, since it is likely to be further modified over time.”