sb-au logo
Story image

Ursnif banking Trojan loves New Zealand and Australia as its targets

24 Jan 2018

The Ursnif banking Trojan seems to love Australia and New Zealand, based on findings that show its ‘disproportionate prevalence' in the two countries.

Researchers from Proofpoint called out the phenomenon in 2016. To follow up, the researchers have spent the last three months observing the Trojan’s movements.

Ursnif, or Gozi-ISFB, uses stealth techniques to infect machines and steal information including banking credentials and profiles of infected PCs.

Researchers say the Trojan has been heavily distributed in campaigns against Australian users, masquerading under genuine brand names including Tax Store Australia and Xero.

Tax Store Australia is described as a network of accounting and tax professionals. Cybercriminals have used the brand to distribute the Ursnif Trojan, probably because it is a recognisable and compelling brand.

New Zealand-based accounting software firm Xero has also been targeted by Ursnif. Read more about it here.

“While Proofpoint can only speculate as to why Ursnif appears more frequently in campaigns than other malware strains, banking Trojans must necessarily be configured for specific banks, businesses, etc., with web injects targeting users of these organisations.” 

Attackers may use one particular banking Trojan affiliate ID for one regions so they don’t have to reconfigure for targets in other regions. This also allows attackers to maximise returns, researchers explain.

They suspect that a threat actor by the name of TA543, otherwise known as Sagrid, is behind many of the attacks.

The threat actor has been known to abuse email services such as Mailchimp, Sendgrid and Constant Contact to send large volumes of spam. TA543 has also apparently used Microsoft SharePoint to host malware.

Ursnif is not the only malware thought to be targeting Australian users. The Locky ransomware and Trick banking Trojan have also been spotted, while other credential-stealing malware such as CoreBot and Zloader were used on occasion.

Researchers say the CoreBot malware is sophisticated in its ability to steal information and conduct man-in-the-middle attacks, but it is still under development. It has not reached the heights of other banking Trojans, but it has been used against Australian financial organisations in Q4 2017.

Zloader is a banking malware that targets Windows machines. It was also used against Australia and other regions and included an Android malware variant in the same spam email.

“Threat actors tend to follow the money, so if more lucrative options become available, it is likely that they will look to other malware strains. For now, they appear to be following a pattern Proofpoint has observed in other regions with banking Trojans like Dridex in which actors engage in extended distribution in a region before switching to other types of malware,” researchers explain.

They suggest that email defence and protection at the network’s edge are essential as part of a layered strategy to stop attacks like Ursnif.

End user training should also help people to identify social engineering and malicious email. It can also help to stop them clicking links or documents that can lead to infection.

Story image
ABB and Nozomi Networks extend collaboration, deliver improved OT security solutions
"With Nozomi Networks solutions added to our cybersecurity portfolio, our customers gain proven network monitoring and threat detection technology."More
Story image
WatchGuard names new regional director for A/NZ
Anthony Daniel says, "I look forward to continuing to drive our business strategy, grow our channel and to supporting business growth Australia and New Zealand and the Pacific islands."More
Story image
Microsoft Exchange breach a wake-up call to ditch the server
"There are owners who still have in-house exchange servers because they are suspicious of the cloud or have concerns about their data sovereignty or don't want to contemplate the capital expenditure. But the warning is clear. Get rid of them."More
Story image
Video: 10 Minute IT Jams - Radware VP on the challenges of cloud security
In this interview, Techday speaks to Radware vice president of technologies Yaniv Hoffman, who discusses the primary challenges facing IT organisations in terms of their cloud security apparatus.More
Story image
IT leaders prioritising automation, Zero Trust and API-based security investments
"The study shows that a cocktail of multiplying threats, the proliferation of hybrid and cloud architectures, blended with a pandemic-fuelled explosion in distributed and remote work has created a perfect storm for network security teams."More
Story image
Pandemic sees organisations of all sizes and industries invest in CTI
There is opportunity for organisations to better manage their cyber-threat intelligence for greater security and threat intelligence effectiveness by adopting the right tools and processes.More