A new improved version of the infamous Ursnif banking Trojan leverages Necurs botnet infrastructure targets Italian companies. The malware primarily targets the financial sector and it was detected first in year 2009.
Email Message and Infection – Ursnif Banking Trojan
The Email was written in incorrect Italian language and the documents appeared to be created from an older version of Microsoft Office that asks user’s to enable the macros.
The infection starts once the user enabled the macro’s, which launches a malicious script that downloads and executes the payload from the C&C server.
“The Ursnif banking Trojan can operate without being noticed by both the user and the Operating System because it is capable to inject its malicious code into the “explorer.exe” process, which is one the most important processes in the Microsoft’s OS.”
With the new variant of Ursnif different domains and different macros spotted, at the time of analysis researchers spotted most of the domain’s went offline.
All the domain’s appeared to be registered under the same Email [whois-protect[@]hotmail[.]com], “Investigating on the email address, we discovered that it was used to register about 1000 different domains.” researchers said.
Necurs botnet is one of the largest Malspam threat that distributes by cybercriminals to deliver various dangerous malware and ransomware based highly potential threats.
It also responsible for various ransomware attack operation like JAFF Ransomware, Scarab Ransomware, banking trojan Trickbot, and it played the biggest role of Locky Ransomware distribution with 23 million emails in just 24 hours.
This is the first time Ursnif campaign uses the Necurs botnet infrastructure, CSE CyberSec Enterprise published a full analysis report along with IOCs associated with the incident.
Comments
Post a Comment