The two countries account for nearly 75 percent of infections related to the newly discovered variant that infects files to steal information and execute malicious code. PE infectors typically use a host file to execute code or execute its code before executing the host file's. The Ursnif variant, PE_URSNIF.A-O, however, inserts the host file into its resource section.
The variant infects all .PDF, .EXE and .MSI files found in all removable drives and network drives. It also tricks the user into believing that an opened file is functioning properly when it's infected.
Trend Micro's researchers credit this variant's move to file infection as a strategic one that helps avoid detection.