The Ursnif malware family is back, this time targeting the private data and financial activity of German, Russian and English-speaking users, Bitdefender warns.
Fig 2. Spam email in German
Fig 3. Spam email in Russian
Infection Data
According to data from Bitdefender’s antispam labs, some 10000 emails were sent as part of a global spam campaign targeting mostly Russian, German and English-speaking users.
Known as a spyware family, Ursnif is specialized in information gathering but is also capable of compromising a system completely. Ursnif usually propagates through spam emails, hides in an archive and awaits to be manually downloaded in order to be executed on the system. The sample analyzed by Bitdefender can execute a variety of operations based on the instructions it receives.
It can sniff credentials and other data related to Microsoft Outlook:
System data:
Certificates and private keys from these locations:
Ursnif can also restart the system, modify Windows Directory files and also collect or delete cookies or spy on the user’s browsing history. It can also take screenshots of the device screen.
The collected data is saved in temporary folders and is transmitted via HTTP to C&Cs which are generated using text from the US declaration.
The encrypted code has a section which contains configuration data that may change from sample to sample. In this case, the configuration data contains URLs and details about different banking services and processes.
Fig 4. Decrypted config file
Bitdefender detects and blocks this threats as Gen:Variant.Kazy.616358, hash d2eed7c7a412246816ce3f9c67c40b39.
Bitdefender advises users to regularly update their AV solution in order to fend off keyloggers, spyware and other persistent threats.
This article is based on the technical information provided courtesy of Bitdefender Senior Antispam Researcher Adrian MIRON, malware researchers Victor LUNCASU, Alexandru RUSU and Ivona CHILI.
tags
Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024