‘Ursnif’ Back in Action in Italy Leveraging Leaked ‘Cerberus’ Code

  • Italian malware distributors now combine Ursnif with Cerberus to grab OTP codes and bypass 2FA.
  • The actors are diligent and methodical, tailoring the web pages and notices their targets see on the desktop.
  • The infection starts via SMS or email, containing a URL that leads to a typo-squat Play Store domain.

The ‘Ursnif’ (aka ‘Gozi’) banking trojan is back in action in Italy, targeting a wide spectrum of banking users with mobile malware. According to a report by IBM’s Trusteer team, the actors behind Ursnif have now incorporated ‘Cerberus’ into their activities, which is a trojan whose code was publicly leaked back in September 2020, following a failed auction attempt. Reportedly, Cerberus is used for obtaining two-factor authentication codes in real-time during the attack, while it can also be used to steal the lock-screen code and take control of the device remotely.

As IBM points out, Ursnif is probably the oldest banking trojan in existence right now, while its activity has been mostly focused in Italy. Typically, it is being delivered via email to business addresses, using attached documents with malicious macros. From there, web injection takes over, urging the targets to download a supposed security app – which is basically a trojan app for the mobile. This step is carried out through a QR code that contains a base64-encoded string.

Source: Security Intelligence

In all cases, the links used at this step are typo-squat domains that resemble Google Play and could easily trick careless users. Examples given by IBM are the following:

  • google.servlce.store
  • gooogle.services
  • goooogle.services
  • play.google.servlce.store
  • play.gooogle.services
  • play.goooogle.services

These URLs fetch Cerberus on the mobile, whereas Ursnif is planted on the desktop. As such, the actors have a complete infection with the combination of the two tools, although the main action remains a job for Ursnif. On that front, the malware hooks the desktop internet browser and dynamically manipulates the web pages served to the target.

One of the key actions of Ursnif is the automatic replacement of the transaction-receiving IBAN with one under their control. Notably, the actors have set a parameter that activates this swap only if the account’s balance is higher than €3,000.

Source: Security Intelligence

Finally, it is worth noting that the injections are very adaptive, and depending on the victim and the bank service that is spoofed, the actors are differentiating their approach. The actors have thought of everything, including security challenges, login timeouts, and even set up a phony maintenance notice to prevent the victim from accessing the real service portal.

Source: Security Intelligence

All in all, you should avoid downloading apps from outside the Play Store, refrain from clicking on URLs inside SMS or email messages, and keep your phone secured from malware with the use of an AV tool from a trusty vendor. If you receive messages that claim to be from your bank asking you to take any action, stay calm and access the bank’s platform independently.

REVIEW OVERVIEW

Latest

Intel Revises Manufacturing Process Development Roadmap and it Looks Promising

Intel declares ready to leave the ear of massive delays behind and finally get back on track.The American chipmaker promises to release...

Kazakhstan Blocks LinkedIn Over Illegal Casino Advertisements and Fake Accounts

Kazakhstan says LinkedIn violated its online advertisement rules and posted casino ads on the platform.For this reason and also for the existence...

Monero Bug May Have Exposed the Privacy of Transactions for a Small Number of Users

Monero transactions could be de-obfuscated thanks to a nasty bug in the decoy algorithm.The flaw affects transactions made quickly after a user...