Ursnif: The Latest Evolution of the Most Popular Banking Malware

From securityaffairs.co

ZLab Yoroi-Cybaze dissected another attack wave of Ursnif Trojan, aka Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014.


A few days ago, the researchers of ZLab Yoroi-Cybaze dissected another attack wave of the infamous Ursnif malware, also known as Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014. Ursnif/Gozi is active from over a decade and was one of the most active malware listed in 2017 and 2018. Today it constantly reaches several organization across Italy presenting itself in several ways, for instance as a malicious document delivered through email. 

The malware has evolved over time and has added functionality, in fact, apart from collecting banking credentials it is also able to collect keystrokes, cryptocurrencies, screenshots, webmail, integrating spyware features together with banking Trojans features.

During their investigations, researchers of ZLab Yoroi-Cybaze intercept a new variant of this malware delivered through malspam campaign towards Italian companies. This latest Ursnif variant shows the same modus operandi: a malicious document in which is embedded an highly obfuscated VBA macro that acts as a first stage dropper.

The Ursnif Threat Evolution

According to Microsoft since its appearance in 2009, Ursnif has shown incredible capabilities to steal users’ credentials, credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites while remaining more stealthiness as possible. It uses many advanced trick to evade several sandboxes environment and today is the most popular malware spreading in the wild. ZLab researchers have studied many samples in the past to profile the techniques used by the malware, to track its evolution and sophistication over time.

Read more…