Starting in the summer of 2017, IBM X-Force research detected a new variation of the Ursnif Trojan being tested in the wild. The malware is based on the same malcode of the original Ursnif Trojan (aka Gozi ISFB), but features some modifications on the code injection level and to attack tactics.

Beyond these changes, the internal build number has also changed to indicate v3 increments versus the existing v2 builds, making this iteration an upgrade of sorts that was most likely undertaken by a different malware developer.

X-Force noted that while changes were most significant in the code injection mechanism, the malware’s operators also opted to develop redirection attacks to target business and corporate banking customers in Australia. The redirection scheme is implemented through the configuration file and not embedded into the code itself.

This finding is significant because it suggests that a new group has joined the cybercrime arena and is specifically operating in Australia, where malware gangs such as TrickBot and Dridex already have a firm foothold. Another notable issue is that Gozi v3 targets business and corporate banking users with redirection attacks, a sophisticated tactic currently used by cybergangs such as Dridex, GootKit and TrickBot.

Ursnif v2 variants are active in the wild alongside this recent version.

Ursnif 2, Ursnif 3 …

X-Force initially identified Ursnif v3 around August 2017. During what appeared to be a testing phase, the malware’s operators seemed very careful to keep the malware silent, promptly taking resources offline soon after each minor test. X-Force has been following this development and now sees an increase in activity and more elaborate malware configurations.

Generally speaking, the lion’s share of the malware’s DNA was adopted from the leaked Gozi ISFB code, and the developer kept most parts of the original code injection method. At some point in the code injection flow, the v3 developer added some original ideas as well. X-Force noted that the changes apparently aim to shuffle things up, move away from hooking the same APIs and improve the code over time. This recent iteration of Ursnif, although using an existing code base, should be considered a separate development, since it is likely to be further modified over time.

The differentiating points also include an activity turf for v3, focused exclusively in Australia at this time, versus v2 variants, which are active all over the world and have been especially prevalent in Japan as of the third quarter of 2017.

A First for Ursnif: Redirection Attacks

Ursnif v3 is the first iteration of this malware that uses redirection attacks, which is another way in which it differs from active v2 variants.

Target lists fetched in November 2017 showed that the malware’s operators dedicated a general configuration to small banks and credit unions in Australia and added a few other, bank-specific configurations dedicated to launching redirection attacks against business and corporate banking customers.

In a redirection attack, the victim is diverted to a fake website hosted on an attacker-controlled server. The malware maintains a live connection with the bank’s legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim’s address bar. At that point, the malicious actors can use webinjections to steal login credentials, authentication codes and other personally identifiable information (PII) without tripping the bank’s fraud detection mechanisms.

Starting Out Small

In terms of campaign size, Gozi v3 is flying under the radar, keeping distribution limited and targeted. This is likely because, like other gang-owned Trojans nowadays, its operators are more interested in focused infections to target businesses rather than spreading far and wide and attracting unwanted attention.

In terms of the attack method, X-Force researchers noted that the attackers are likely relying on account and device takeover schemes using Ursnif v2’s custom hidden virtual network computing (hVNC) module.

About Ursnif

The Ursnif Trojan has been active in the wild for at least a decade. The code base is one of the longest-standing banking Trojans in the wild today. It was first discovered in 2007 when it was operated by a closed group of developers and cybercriminals, but has since evolved in various directions. Ursnif’s code was leaked in 2010, giving rise to its reuse in subsequent Gozi operations. It was then used as the core code for the Neverquest and GozNym Trojans, to name a few.

Although Ursnif varieties have come and gone since 2007, over the past few years, X-Force has been tracking an ongoing project that is believed to operate in a crime-as-a-service model. The central part of that operation is an Ursnif variation that X-Force research dubbed Ursnif v2/Gozi v2 after the last major upgrade of that code base. That specific malware has been extremely active, especially in the past two years, regularly attacking banking customers in different parts of the world, including North America, Europe and Japan.

X-Force noted that for the entire year of 2016 through 2017, Ursnif v2 has been one of the top players in the financial cybercrime arena, both in terms of its code evolution and attack volumes.

Figure 1: Top most prevalent financial malware families, 2017 YTD (Source: IBM X-Force)

New Actors Enter Banking Malware Arena

In the past give years, the banking malware arena has increasingly become a playing field on which organized crime thrives. As gangs die out, new ones enter the cybercrime arena, but code sophistication and operational savvy continue to paint the picture of nefarious groups that drive an ever-evolving threat landscape.

In early November 2017, X-Force released information about a new banking Trojan dubbed IcedID, yet another group looking to target banks and, more specifically, business accounts. Gozi v3 joins an existing group of actors whose target lists reveal similar intentions.

To help mitigate the risk posed by banking Trojans, please refer to our malware mitigation tips. Banks should also consider implementing fraud protection solutions to protect their customers against evolving financial threats such as Ursnif.

Read the white paper: How digital banking is transforming fraud detection

More from Malware

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…