Malware researchers from Palo Alto Networks are monitoring the diffusion of the Ursnif banking Trojan worldwide and have identified the architecture used to spread it.
The Ursnif Trojan is spread via spam emails that contain malicious attachments that are used to download and execute the malware. In this attack scenario, the researchers have focused their investigation on the spam botnet used to send the malicious emails and the network compromised web servers used to host the malicious code.
Below the key findings of the distribution infrastructure.
The experts discovered that crooks copied their malicious files on multiple servers making their infrastructure redundant, more than 200 such files were discovered on 74 different servers used between April 2015 and January 2017. Most were compromised personal or small-to-medium-sized business websites in Europe, which haven’t been maintained for years.
The researcher discovered that in 2016, the attackers mostly targeted the Japanese users with the Shiotob (a.k.a Bebloh or URLZone) malware. The researchers detected 75 unique variants in 7 million spam emails. The malware was used to steal banking credentials and to download a secondary payload, including the Ursnif banking trojan.
An analysis of 200 unique Japanese IP addresses that were spamming Shiotob revealed 250 unique malware samples being sent among 268,000 emails.
In is interesting to note that threat actors behind the spam campaigns were also able to tailor their attacks depending on the specific country.
[The following graph is] “the breakdown of malware found on the web servers and where the malware downloaded from based on our telemetry (Table 2). The results correspond to the analysis of targets and malware by SPAM in the previous section.”
The unique element still not clear is related to threat actor behind the campaign, is is a single group or several gangs sharing the same infrastructure?
(Security Affairs – Ursnif Banking Trojan, cybercrime)