Starting in the summer of 2017, IBM X-Force research detected a new variation of the Ursnif Trojan being tested in the wild. The malware is based on the same malcode of the original Ursnif Trojan (aka Gozi ISFB), but features some modifications on the code injection level and to attack tactics.
Beyond these changes, the internal build number has also changed to indicate v3 increments versus the existing v2 builds, making this iteration an upgrade of sorts that was most likely undertaken by a different malware developer.
X-Force noted that while changes were most significant in the code injection mechanism, the malware’s operators also opted to develop redirection attacks to target business and corporate banking customers in Australia. The redirection scheme is implemented through the configuration file and not embedded into the code itself.
This finding is significant because it suggests that a new group has joined the cybercrime arena and is specifically operating in Australia, where malware gangs such as TrickBot and Dridex already have a firm foothold. Another notable issue is that Gozi v3 targets business and corporate banking users with redirection attacks, a sophisticated tactic currently used by cybergangs such as Dridex, GootKit and TrickBot.
Ursnif v2 variants are active in the wild alongside this recent version.
Ursnif 2, Ursnif 3 …
X-Force initially identified Ursnif v3 around August 2017. During what appeared to be a testing phase, the malware’s operators seemed very careful to keep the malware silent, promptly taking resources offline soon after each minor test. X-Force has been following this development and now sees an increase in activity and more elaborate malware configurations.
Generally speaking, the lion’s share of the malware’s DNA was adopted from the leaked Gozi ISFB code, and the developer kept most parts of the original code injection method. At some point in the code injection flow, the v3 developer added some original ideas as well. X-Force noted that the changes apparently aim to shuffle things up, move away from hooking the same APIs and improve the code over time. This recent iteration of Ursnif, although using an existing code base, should be considered a separate development, since it is likely to be further modified over time.
The differentiating points also include an activity turf for v3, focused exclusively in Australia at this time, versus v2 variants, which are active all over the world and have been especially prevalent in Japan as of the third quarter of 2017.
A First for Ursnif: Redirection Attacks
Ursnif v3 is the first iteration of this malware that uses redirection attacks, which is another way in which it differs from active v2 variants.
Target lists fetched in November 2017 showed that the malware’s operators dedicated a general configuration to small banks and credit unions in Australia and added a few other, bank-specific configurations dedicated to launching redirection attacks against business and corporate banking customers.
In a redirection attack, the victim is diverted to a fake website hosted on an attacker-controlled server. The malware maintains a live connection with the bank’s legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim’s address bar. At that point, the malicious actors can use webinjections to steal login credentials, authentication codes and other personally identifiable information (PII) without tripping the bank’s fraud detection mechanisms.
Starting Out Small
In terms of campaign size, Gozi v3 is flying under the radar, keeping distribution limited and targeted. This is likely because, like other gang-owned Trojans nowadays, its operators are more interested in focused infections to target businesses rather than spreading far and wide and attracting unwanted attention.
In terms of the attack method, X-Force researchers noted that the attackers are likely relying on account and device takeover schemes using Ursnif v2’s custom hidden virtual network computing (hVNC) module.
The Ursnif Trojan has been active in the wild for at least a decade. The code base is one of the longest-standing banking Trojans in the wild today. It was first discovered in 2007 when it was operated by a closed group of developers and cybercriminals, but has since evolved in various directions. Ursnif’s code was leaked in 2010, giving rise to its reuse in subsequent Gozi operations. It was then used as the core code for the Neverquest and GozNym Trojans, to name a few.
Although Ursnif varieties have come and gone since 2007, over the past few years, X-Force has been tracking an ongoing project that is believed to operate in a crime-as-a-service model. The central part of that operation is an Ursnif variation that X-Force research dubbed Ursnif v2/Gozi v2 after the last major upgrade of that code base. That specific malware has been extremely active, especially in the past two years, regularly attacking banking customers in different parts of the world, including North America, Europe and Japan.
X-Force noted that for the entire year of 2016 through 2017, Ursnif v2 has been one of the top players in the financial cybercrime arena, both in terms of its code evolution and attack volumes.
New Actors Enter Banking Malware Arena
In the past give years, the banking malware arena has increasingly become a playing field on which organized crime thrives. As gangs die out, new ones enter the cybercrime arena, but code sophistication and operational savvy continue to paint the picture of nefarious groups that drive an ever-evolving threat landscape.
In early November 2017, X-Force released information about a new banking Trojan dubbed IcedID, yet another group looking to target banks and, more specifically, business accounts. Gozi v3 joins an existing group of actors whose target lists reveal similar intentions.
To help mitigate the risk posed by banking Trojans, please refer to our malware mitigation tips. Banks should also consider implementing fraud protection solutions to protect their customers against evolving financial threats such as Ursnif.