A new phishing campaign spotted this September shows increased sophistication from the operators, who take over email accounts and insert a banking trojan in conversation threads.
The malware comes through replies to existing discussions, a powerful social engineering approach likely to guarantee a high rate of success because it relies on the familiar context the victim already trusts.
The lure for installing the malware is an attached document which, once launched, springs a routine for retrieving the latest version of Ursnif malware. It runs only on systems running Windows Vista and above and avoids machines with Russian or Chinese locales.
Although the malicious replies come from someone known to the victim, there are red flags that should make them look suspicious: sudden change of language from French to English, genericity of the message, or an odd-looking signature at the end of the message.
A deeper inspection of the email reveals that there is no spoofing of the “return-path” or “reply-to” headers. Instead, the victim would send the replies to the original account, suggesting that the threat actor can log into it.
Security researchers from Trend Micro believe that the malware-laced replies come from the US and they discovered that many messages were sent out in September from multiple accounts of the same host.
“What we can assume from the headers is that the attacker has somehow gotten hold of an authentic account and is using this account for the BEC-like scam,” Trend Micro writes in a report.
The investigators noticed that these attacks were similar to what Cisco Talos detected in an earlier campaign that dropped the Ursnif banking trojan, also known as Gozi.
Malware targets organizations in various sectors
Apart from gathering details about the system, the software available, the processes running, the drivers installed and the network devices present, Ursnif also looks for email credentials, cookies, and certificates.
Its old functionality for stealing financial information via web injection has not been removed.
An analysis of the malware variant showed that it uses the Tor network to communicate with the command and control (C2) servers and its main goal is to steal information.
The recent phishing operation seems to focus on organizations in the education, financial and energy sectors in North America and Europe.
It is not limited to these regions and verticals, though, as it has been seen in Asia and Latin America, attacking victims in real estate, transportation, and manufacturing industries.