New Phishing Campaign Drops Ursnif into Conversation Threads

Posted by & filed under Security Alerts.

A new phishing campaign spotted this September shows increased sophistication from the operators, who take over email accounts and insert a banking trojan in conversation threads.

The malware comes through replies to existing discussions, a powerful social engineering approach likely to guarantee a high rate of success because it relies on the familiar context the victim already trusts.

The lure for installing the malware is an attached document which, once launched, springs a routine for retrieving the latest version of Ursnif malware. It runs only on systems running Windows Vista and above and avoids machines with Russian or Chinese locales.

Although the malicious replies come from someone known to the victim, there are red flags that should make them look suspicious: sudden change of language from French to English, genericity of the message, or an odd-looking signature at the end of the message.

A deeper inspection of the email reveals that there is no spoofing of the “return-path” or “reply-to” headers. Instead, the victim would send the replies to the original account, suggesting that the threat actor can log into it.

Security researchers from Trend Micro believe that the malware-laced replies come from the US and they discovered that many messages were sent out in September from multiple accounts of the same host.

What we can assume from the headers is that the attacker has somehow gotten hold of an authentic account and is using this account for the BEC-like scam,” Trend Micro writes in a report.

The investigators noticed that these attacks were similar to what Cisco Talos detected in an earlier campaign that dropped the Ursnif banking trojan, also known as Gozi.

Malware targets organizations in various sectors

Apart from gathering details about the system, the software available, the processes running, the drivers installed and the network devices present, Ursnif also looks for email credentials, cookies, and certificates.

Its old functionality for stealing financial information via web injection has not been removed.

An analysis of the malware variant showed that it uses the Tor network to communicate with the command and control (C2) servers and its main goal is to steal information.

The recent phishing operation seems to focus on organizations in the education, financial and energy sectors in North America and Europe.

It is not limited to these regions and verticals, though, as it has been seen in Asia and Latin America, attacking victims in real estate, transportation, and manufacturing industries.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.