- Ursnif is targeting 100 banks and financial institutes in Italy and has stolen thousands of credentials.
- The particular banking trojan is a classic choice for cybercriminals and has been for over a decade now.
- It usually arrives via loaders that are fetched through macros hiding in document attachments.
The Ursnif banking trojan appears to have gone rampant in Italy, as Avast Threat Labs researchers claim that they hold evidence of over 100 banks in Italy having some level of compromise or targeting. Reportedly, the malicious actors behind Ursnif have managed to steal over 1,700 credentials belonging to just one of the compromised payment processors, so the total damage is thought to be on a manifold scale. And to make matters worse, in the vast majority of the cases, the compromised individuals don’t realize the damage before it’s already too late.
Avast has collected and analyzed information which includes victim usernames, passwords, credit card details, banking information, and payment information. This data is stolen by Ursnif in relevant campaigns, which are oftentimes localized. The things that the particular malware can do include the following:
- Exfiltrate computer data, computer name, system local, operating system (OS) version, and running processes.
- Exfiltrate user credentials, financial and banking information.
- Record keystrokes and take screenshots from the user’s monitor.
- Communicate with the C2 server to fetch additional malware components.
- Execute backdoor commands remotely.
What’s so interesting about Ursnif is that it is one of the oldest banking trojans out there, and yet it remains a serious menace. It first appeared in the wild in 2007 and evolved greatly in the years that followed. The enrichment of its functionality kept it alive and popular in the underground cybercrime community, and in 2015, its source code leaked. This turned the malware into a commodity tool, as everyone could grab the code and fork it to create something specialized and, most importantly, free.
The researchers at Avast have gathered all the information they could for the recent attack wave in Italy and shared it with the law enforcement authorities in the country, as well as with CERT Finanziario Italiano. Hopefully, they will act as a point of contact and a coordination force for the local financial sector to identify the signs of compromise and manage the threat effectively.
To stay safe from the Ursnif threat, do not open attachments that arrive via unsolicited emails that urgently call for your attention. Also, keep your system and software up to date, and use a complete internet security solution from a reputable vendor. Finally, keep the macros on your Office suite disabled unless you really need them for your work. If a strange file asks you to “enable content” to view it, don’t do it.