Story image

Ursnif banking Trojan loves New Zealand and Australia as its targets

24 Jan 18

The Ursnif banking Trojan seems to love Australia and New Zealand, based on findings that show its ‘disproportionate prevalence' in the two countries.

Researchers from Proofpoint called out the phenomenon in 2016. To follow up, the researchers have spent the last three months observing the Trojan’s movements.

Ursnif, or Gozi-ISFB, uses stealth techniques to infect machines and steal information including banking credentials and profiles of infected PCs.

Researchers say the Trojan has been heavily distributed in campaigns against Australian users, masquerading under genuine brand names including Tax Store Australia and Xero.

Tax Store Australia is described as a network of accounting and tax professionals. Cybercriminals have used the brand to distribute the Ursnif Trojan, probably because it is a recognisable and compelling brand.

New Zealand-based accounting software firm Xero has also been targeted by Ursnif. Read more about it here.

“While Proofpoint can only speculate as to why Ursnif appears more frequently in campaigns than other malware strains, banking Trojans must necessarily be configured for specific banks, businesses, etc., with web injects targeting users of these organisations.” 

Attackers may use one particular banking Trojan affiliate ID for one regions so they don’t have to reconfigure for targets in other regions. This also allows attackers to maximise returns, researchers explain.

They suspect that a threat actor by the name of TA543, otherwise known as Sagrid, is behind many of the attacks.

The threat actor has been known to abuse email services such as Mailchimp, Sendgrid and Constant Contact to send large volumes of spam. TA543 has also apparently used Microsoft SharePoint to host malware.

Ursnif is not the only malware thought to be targeting Australian users. The Locky ransomware and Trick banking Trojan have also been spotted, while other credential-stealing malware such as CoreBot and Zloader were used on occasion.

Researchers say the CoreBot malware is sophisticated in its ability to steal information and conduct man-in-the-middle attacks, but it is still under development. It has not reached the heights of other banking Trojans, but it has been used against Australian financial organisations in Q4 2017.

Zloader is a banking malware that targets Windows machines. It was also used against Australia and other regions and included an Android malware variant in the same spam email.

“Threat actors tend to follow the money, so if more lucrative options become available, it is likely that they will look to other malware strains. For now, they appear to be following a pattern Proofpoint has observed in other regions with banking Trojans like Dridex in which actors engage in extended distribution in a region before switching to other types of malware,” researchers explain.

They suggest that email defence and protection at the network’s edge are essential as part of a layered strategy to stop attacks like Ursnif.

End user training should also help people to identify social engineering and malicious email. It can also help to stop them clicking links or documents that can lead to infection.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”