Pierluigi Paganini February 20, 2017

The security experts at Palo Alto Networks published a detailed analysis of the architecture used to spread the Ursnif banking Trojan worldwide.

Malware researchers from Palo Alto Networks are monitoring the diffusion of the Ursnif banking Trojan worldwide and have identified the architecture used to spread it.

The Ursnif Trojan is spread via spam emails that contain malicious attachments that are used to download and execute the malware. In this attack scenario, the researchers have focused their investigation on the spam botnet used to send the malicious emails and the network compromised web servers used to host the malicious code.

Below the key findings of the distribution infrastructure.

• The spam botnet focuses on delivering Banking Trojans or Downloader Trojans to Japan, Italy, Spain, Poland, Australia, and Germany.
• Compromised web servers host Banking Trojans and spam bot files that are download by malicious downloader program distributed by spam.

The experts discovered that crooks copied their malicious files on multiple servers making their infrastructure redundant, more than 200 such files were discovered on 74 different servers used between April 2015 and January 2017. Most were compromised personal or small-to-medium-sized business websites in Europe, which haven’t been maintained for years.

The researcher discovered that in 2016, the attackers mostly targeted the Japanese users with the  Shiotob (a.k.a Bebloh or URLZone) malware. The researchers detected 75 unique variants in 7 million spam emails. The malware was used to steal banking credentials and to download a secondary payload, including the Ursnif banking trojan.

“Using our threat intelligence platform AutoFocus, Palo Alto Networks observed millions of e-mails sent to Japanese targets throughout 2016. Most of the emails were written in Japanese (see example in Figure 1). The latest attachment we’ve seen, detected in January 2017, is a JavaScript downloader that simply downloads Ursnif from a remote site and executes it on compromised machine.” reads the analysis published by the PaloAlto Networks.

An analysis of 200 unique Japanese IP addresses that were spamming Shiotob revealed 250 unique malware samples being sent among 268,000 emails.

In is interesting to note that threat actors behind the spam campaigns were also able to tailor their attacks depending on the specific country.

The Ursnif banking trojan and Shiotob were delivered in Australia, KINS and Ursnif in Italy; Shiotob and Ursnif in Japan, Ursnif and Tinba in Spain and Poland, and Ursnif and KINS in Germany.

[The following graph is] “the breakdown of malware found on the web servers and where the malware downloaded from based on our telemetry (Table 2). The results correspond to the analysis of targets and malware by SPAM in the previous section.”

The unique element still not clear is related to threat actor behind the campaign, is is a single group or several gangs sharing the same infrastructure?

Pierluigi Paganini

(Security Affairs – Ursnif Banking Trojan, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]