Ursnif Trojan has targeted over 100 Italian banks | ZDNet

Ursnif Trojan has targeted over 100 Italian banks
1,700 credentials were stolen from a single payment processor.


Charlie Osborne
By Charlie Osborne for Zero Day | March 3, 2021 -- 14:09 GMT (14:09 GMT) | Topic: Security

The Ursnif Trojan has been traced back to attacks against at least 100 banks in Italy.

SECURITY
Everything you need to know about the Microsoft Exchange Server hack
Cyber security 101: Protect your privacy from hackers, spies, and the government
The best antivirus software and apps
The best VPNs for business and home use
The best security keys for two-factor authentication
Why some governments are getting cyber crime gangs to do their hacking for them (ZDNet YouTube)
According to Avast, the malware's operators have a keen interest in Italian targets and attacks against these banking institutions have led to the loss of credentials and financial data.

The cybersecurity firm said on Tuesday that at least 100 banks have been targeted, based on information gathered by the researchers.

In one case alone, an unnamed payment processor had over 1,700 sets of credentials stolen.

Avast found usernames, passwords, credit card, banking, and payment information that appears to have been harvested by the malware.

First discovered in 2007, Ursnif began its journey as a simple banking Trojan. The information stealer's code was leaked on GitHub and has since evolved and has become more sophisticated, with its code being developed independently and also appearing as part of the Gozi banking malware.

Ursnif is usually spread via phishing emails -- such as invoice requests -- and attempts to steal financial data and account credentials.

Datktrace researchers documented a 2020 campaign in which the malware was used in an attack against a US bank. A phishing email was sent to an employee who unwittingly opened a malicious attachment and accidentally downloaded an executable file pretending to be a .cab extension.

This file called out to command-and-control (C2) servers registered in Russia only a day prior to the launch of the campaign -- and, therefore, the IPs were not blacklisted at the time of infection. A recent obfuscation technique noted in this attack was the use of User Agents imitating Zoom and Webex to try and hide in network traffic.

Darktrace has also tracked the malware in attacks against organizations in the US and Italy.

Avast has shared its findings with the victim banks the company was able to identify, alongside CERTFin Italy, a financial services data exchange managed by the Bank of Italy and the Italian Banking Association (ABI).