Since 2007, the highly successful banking Trojan called Ursnif has been making waves. Once found in the popular Gozi banking Trojan, Ursnif has been around in one form or another for over ten years. Researchers recently noticed that over time and with the help of hackers, Ursnif has reinvented itself bigger and sneakier than ever before. This latest version focuses on Microsoft Outlook, Internet Explorer, and Mozilla Thunderbird users. It employs new data-stealer functions, pilfering more than just financial data, including email and browser data. Not to be outdone, the latest Ursnif version also steals cryptocurrency from e-wallets.
The way Ursnif finds its way into systems is nothing new. Generic phishing emails simply ask recipients to open an attachment, likely a fake invoice asking users to enable macros. Once that’s done, the banking and info-stealing malware goes to work. As popularity is a big part of the new Ursnif, it doesn’t help that source code for the Trojan was posted to GitHub in 2017. That posting allowed cybercriminals the world over to grab the malware for themselves and add their own personal hacking touches. Taking that into account, it’s really no surprise Ursnif resurfaced more cunning than ever.
The vexing new persistence of Ursnif is now enabled by using “last minute persistence,” a way of installing the malware in a way that’s very difficult to detect. It writes its own persistence and key files that disappear seconds after a device is turned on–but not before it’s installed. In another way, Ursnif avoids detection by double-checking that it's not being deployed in a hostile environment that could lead to detection. Security experts are seeing malware, such as this as engaging more often in information stealing, but not limiting it to financial information.
To prevent Ursnif, and other malware from landing on your devices, keep them updated at all times. When you see that little notification that something needs an update, just do it. Make sure you have anti-malware installed on your devices, even those Apple devices, and that it’s kept updated and does frequent scans.
As always, watch out for phishing attempts. Don’t open attachments or click links that are not expected, are from unknown persons, or that you can’t identify as legitimate.