‘Ursnif’ is a banking trojan and a modification of dangerous malware. It is observed that it spreads through different automated exploit kits, spear-phishing attachments, and malicious links. It can be primarily associated with data theft, and it also spreads through various unauthorized means such as a backdoor, spyware, queue injectors, etc.
Once the system is affected by the virus, the malware starts to handle the system. When the user starts a Word or Excel file, it automatically activates the macro virus. This trojan uses exploits to start legitimate software like Outlook, which in turn launches ‘cmd.exe’ only to generate PowerShell. If a strike targets certain country, the malware verifies where the victim was at that time. Next, PowerShell downloads and runs the final load which is Ursnif itself. Finally, Ursnif starts malicious activities and injects its code into the ‘explorer.exe’ process. If the injection fails due to any reason, then it will originate a new ‘svchost.exe’ process and inject it into the browser again.
After that, Ursnif will proceed to pin the APIs of common web browsers such as Chrome, Opera, Internet Explorer, and Firefox. Next, the malware will begin observing web activity and steal the payment information as soon as the victim visits a banking or a payment webpage.
The banking malware often spreads through the native language that is luring e-mail. Among numerous countries in the world, Ursnif malware has considerably affected Italy.
On March 4, 2021, Avast researchers observed that some usernames, passwords, credit card information, banking, and payment information seem to be stolen from Ursnif victims by the malware operatives. There was also confirmation of over 100 Italian banks targeted in the information obtained and over 1,700 stolen credentials for an individual payment processor.
The analysis team has taken the initiative to share this information with the payment processors and banks so they could identify the real culprit. The team has also shared this with financial services information-sharing groups such as CERTF in Italy.
The Avast community said: With this information, these companies and institutions are taking action to protect their customers or users from this malicious software. They also assist and help their customers in recovering from the impact as quickly as possible. Avast also says that “It believes firmly in information sharing to secure everyone on the internet, and this is an example of how Avast Threat Labs research can help and protect not just customers but everyone on the internet”. People should keep in mind the casualties caused by this malware to enjoy safe surfing.
By Navya Swarup (Campus Ambassador, WCSF)