sb-nz logo
Story image

Ursnif banking Trojan loves New Zealand and Australia as its targets

24 Jan 2018

The Ursnif banking Trojan seems to love Australia and New Zealand, based on findings that show its ‘disproportionate prevalence' in the two countries.

Researchers from Proofpoint called out the phenomenon in 2016. To follow up, the researchers have spent the last three months observing the Trojan’s movements.

Ursnif, or Gozi-ISFB, uses stealth techniques to infect machines and steal information including banking credentials and profiles of infected PCs.

Researchers say the Trojan has been heavily distributed in campaigns against Australian users, masquerading under genuine brand names including Tax Store Australia and Xero.

Tax Store Australia is described as a network of accounting and tax professionals. Cybercriminals have used the brand to distribute the Ursnif Trojan, probably because it is a recognisable and compelling brand.

New Zealand-based accounting software firm Xero has also been targeted by Ursnif. Read more about it here.

“While Proofpoint can only speculate as to why Ursnif appears more frequently in campaigns than other malware strains, banking Trojans must necessarily be configured for specific banks, businesses, etc., with web injects targeting users of these organisations.” 

Attackers may use one particular banking Trojan affiliate ID for one regions so they don’t have to reconfigure for targets in other regions. This also allows attackers to maximise returns, researchers explain.

They suspect that a threat actor by the name of TA543, otherwise known as Sagrid, is behind many of the attacks.

The threat actor has been known to abuse email services such as Mailchimp, Sendgrid and Constant Contact to send large volumes of spam. TA543 has also apparently used Microsoft SharePoint to host malware.

Ursnif is not the only malware thought to be targeting Australian users. The Locky ransomware and Trick banking Trojan have also been spotted, while other credential-stealing malware such as CoreBot and Zloader were used on occasion.

Researchers say the CoreBot malware is sophisticated in its ability to steal information and conduct man-in-the-middle attacks, but it is still under development. It has not reached the heights of other banking Trojans, but it has been used against Australian financial organisations in Q4 2017.

Zloader is a banking malware that targets Windows machines. It was also used against Australia and other regions and included an Android malware variant in the same spam email.

“Threat actors tend to follow the money, so if more lucrative options become available, it is likely that they will look to other malware strains. For now, they appear to be following a pattern Proofpoint has observed in other regions with banking Trojans like Dridex in which actors engage in extended distribution in a region before switching to other types of malware,” researchers explain.

They suggest that email defence and protection at the network’s edge are essential as part of a layered strategy to stop attacks like Ursnif.

End user training should also help people to identify social engineering and malicious email. It can also help to stop them clicking links or documents that can lead to infection.

Story image
In the sprint towards digital transformation, don’t neglect your data
Three tips to locate, secure, and understand dispersed corporate data.More
Story image
Video: 10 Minute IT Jams - SonicWall VP on the benefits of Boundless Cybersecurity
Today's interviewee will discuss the ins and outs of the company's Boundless Cybersecurity solution and how it can help APAC organisations adjust to the new normal, as well as explaining the 'cybersecurity business gap'.More
Story image
With cyber-threats continuing to evolve, organisations need to remain in the fight in 2021
Teams can make improvements in 2021 by having a more comprehensive understanding of the threats that are out there and defining how they conduct operations to offer flexibility to adapt better.More
Story image
Secure Code Warrior launches offering to help developers adopt a security mindset
Secure Code Warrior, the secure coding company, has launched a new educational offering that simulates realistic situations to help developers extend their coding skills and preparedness.More
Story image
How a vantage point sees threats before they impact
When the focus has been on adversaries that develop increasingly complex and sophisticated attacks, tried and true techniques such as compromised credentials continue to be amongst the most potent weapons.More
Story image
Forrester names Thycotic a Leader in privileged access management
Thycotic received the highest possible score in 11 of the 24 criteria in the study, including SaaS/cloud, innovation roadmap, and integrations, deployment, supporting products and services, commercial model, and PIM installed base.More