The Ursnif banking Trojan seems to love Australia and New Zealand, based on findings that show its ‘disproportionate prevalence' in the two countries.
Researchers from Proofpoint called out the phenomenon in 2016. To follow up, the researchers have spent the last three months observing the Trojan's movements.
Ursnif, or Gozi-ISFB, uses stealth techniques to infect machines and steal information including banking credentials and profiles of infected PCs.
Researchers say the Trojan has been heavily distributed in campaigns against Australian users, masquerading under genuine brand names including Tax Store Australia and Xero.
Tax Store Australia is described as a network of accounting and tax professionals. Cybercriminals have used the brand to distribute the Ursnif Trojan, probably because it is a recognisable and compelling brand.
New Zealand-based accounting software firm Xero has also been targeted by Ursnif. Read more about it here.
“While Proofpoint can only speculate as to why Ursnif appears more frequently in campaigns than other malware strains, banking Trojans must necessarily be configured for specific banks, businesses, etc., with web injects targeting users of these organisations.”
Attackers may use one particular banking Trojan affiliate ID for one regions so they don't have to reconfigure for targets in other regions. This also allows attackers to maximise returns, researchers explain.
They suspect that a threat actor by the name of TA543, otherwise known as Sagrid, is behind many of the attacks.
The threat actor has been known to abuse email services such as Mailchimp, Sendgrid and Constant Contact to send large volumes of spam. TA543 has also apparently used Microsoft SharePoint to host malware.
Ursnif is not the only malware thought to be targeting Australian users. The Locky ransomware and Trick banking Trojan have also been spotted, while other credential-stealing malware such as CoreBot and Zloader were used on occasion.
Researchers say the CoreBot malware is sophisticated in its ability to steal information and conduct man-in-the-middle attacks, but it is still under development. It has not reached the heights of other banking Trojans, but it has been used against Australian financial organisations in Q4 2017.
Zloader is a banking malware that targets Windows machines. It was also used against Australia and other regions and included an Android malware variant in the same spam email.
“Threat actors tend to follow the money, so if more lucrative options become available, it is likely that they will look to other malware strains. For now, they appear to be following a pattern Proofpoint has observed in other regions with banking Trojans like Dridex in which actors engage in extended distribution in a region before switching to other types of malware,” researchers explain.
They suggest that email defence and protection at the network's edge are essential as part of a layered strategy to stop attacks like Ursnif.
End user training should also help people to identify social engineering and malicious email. It can also help to stop them clicking links or documents that can lead to infection.