A dangerous malware that steals banking information

The code of this malware has existed for more than a decade, although there is always a malicious actor willing to update it

Network security and ethical hacking specialists from the International Institute of Cyber Security report the emergence of a new variant of an old malware. A well-known banking Trojan, which emerged about 10 years ago, has rose again with new techniques that make it harder to detect. This malware primarily searches for victims’ financial information, usernames, passwords, among other data.

This trojan, known as Ursnif, is one of the most known banking malware and used for information theft. It is mainly used in computers with Windows operating system and its existence is known at least since 2007, report the specialists in network security.

The malware has taken relevance in recent times, as its source code was published on GitHub, with what was put within the reach of any user, regardless of its aims. They have been primarily malicious hackers the ones interested in accessing source code and adding new features to malware.

Specialists of a network security firm recently discovered a new version of this Trojan, equipped with new techniques of evasion of antivirus software. Among the new features included in the malware, you will find the call  “last minute persistence”, to install the payload of the malware without being detected.

“This is an intelligent and almost undetectable mechanism, malware writes its persistence key just before the system is turned off. It only takes a few seconds to be activated”, the specialists commented. When the victim restarts his system, the Trojan runs and injects to minimize the chances that the antivirus system will detect it.

The attack can start using phishing emails to send a file attachment to the victim, a fake invoice, for example, by asking users to activate the macros. If this is achieved, a PowerShell is enabled that downloads an image hosted on a file-sharing platform. The payload is hidden in the image using stenography techniques.

In addition to last-minute persistence, the new version of malware includes other features that allow you to collect lots of information, such as email logs and browser data, which could open the door to other attack variants.

This campaign of attacks seems to be active mainly in Japan and Japanese banks. It has even been discovered that if the malware detects that a computer is not in Japanese territory, it will be eliminated to avoid further detection.