New Ursnif variants being tested in the wild are using redirection attacks to target Australian banks and malicious TLS callback techniques to achieve process injection.
The malware is based on the same code as the original Ursnif trojan, aka Gozi ISFB, but features modifications to the code injection level and to attack tactics, IBM Executive Security Advisor Limor Kessem said in a Nov. 28 blog post.
Kessem also noted the malware appears to be in a testing phase with its authors taking extra steps to keep the malware silent by taking resources offline after each minor test. She said the malware operators opted to develop the redirection scheme, which is implemented through the configuration file and not embedded into the code itself, to target business and corporate banking customers.
The majority of the new malware's DNA was adopted from the leaked Gozi ISFB code and the developer kept most parts of the original code injection method. The redirection attack diverts victims to a fake website hosted on an attacker controlled server.
“The malware maintains a live connection with the bank's legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim's address bar,” Kessem said in the post. “At that point, the malicious actors can use web injections to steal login credentials, authentication codes and other personally identifiable information (PII) without tripping the bank's fraud detection mechanisms.”
The new malware suggests that a new group has joined the Australian cybercrime arena where cybergangs such as TrickBot and Dridex already have a foothold. So far, the malware authors appear to be laying low by keeping distribution limited and targeted as opposed to spreading infections far and wide and attracting unwanted attention.
FireEye researchers also observed an Ursnif variant employing malicious TLS callback Techniques to achieve process injection.
“We recently came across a Ursnif/Gozi-ISFB sample that manipulated TLS callbacks while injecting to child process,” researchers said in the Nov. 28 blog post. “Though many of the malware binaries (or their packers) use some variation of GetThreadContext/SetThreadContext or CreateRemoteThread Windows API functions to change the entry point of the remote process during injection, this sample (and the related cluster) is using a relatively lesser-known stealth technique.”
Researchers said this deviation from the norm may cause some generic unpackers or tools to break following the execution flow if they do not account for the technique.
The variant they spotted was being distributed via spam emails for a “MYOB Supply Order.” The email contained a button to review the document attached which upon clicking, downloads as a Zip file that contains a malicious JavaScript file that, when executed, will download and execute the Ursnif/Gozi-ISFB payload.
The FireEye researchers said the newer method they've seen shows threat actors are equipping their malware with stealthier techniques as well as modifying the malware to evade signatures.
