Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy

 The lead researcher on this post was X-Force’s Itzik Chimino. Contributed to this research: Segev Fogel, Amir Gendler and Nethanella Messer.

---

IBM Trusteer researchers continually monitor the evolution and attack tactics in the banking sector. In a recent analysis, our team found that an Ursnif (aka Gozi) banking Trojan variant is being used in the wild to target online banking users in Italy with mobile malware. Aside from the Ursnif infection on the victim’s desktop, the malware tricks victims into fetching a mobile app from a fake Google Play page and infects their mobile device with the Cerberus Android malware.

 

The Cerberus malware component of the attack is used by Ursnif’s operators to receive two-factor authentication codes sent by banks to their users when account updates and money transfer transactions are being confirmed in real-time. Cerberus also possesses other features and can enable the attacker to obtain the lock-screen code and remotely control the device.

 

Cerberus is an overlay-type mobile malware that emerged in mid-2019 but initially lacked advanced capabilities. It has evolved over time to eventually feature the ability to hijack SMS content and control devices remotely, alongside other sophisticated data theft features. Cerberus was peddled in the underground as commodity malware until the summer of 2020, taking over the market share of Anubis, a previous pay-per-use malware.

 

In September 2020, Cerberus’ development team decided to disband, spurring an auction attempt that aimed to sell off the source code to the highest bidder, starting at $100,000. The code did not sell but was instead shared with the malware’s customer base, which meant it was publicly leaked. That intentional release of the source code gave rise to numerous malware campaigns involving Cerberus and likely also led to this combined attack with the Ursnif banking Trojan.

 

A Combination Attack From Desktop to Smartphone

Ursnif is a very long-standing staple in the cybercrime arena, possibly the oldest banking Trojan that’s still active today. Recent campaigns featuring this malware have been most notable in Italy, where it is typically delivered to business email recipients in attachments that purport to carry invoices, delivery notices or other business correspondence. The infection chain commonly involves poisoned macros, getting past email controls by featuring productivity files most organizations use. In some campaigns, the attackers keep access to the infection zone limited to Italian-based IP addresses only.

 

Once infected by the Ursnif malware and upon attempting to access their online banking account, victims are advised, via web injection, that they won’t be able to continue to use their bank’s services without downloading a security app. To obtain that app, they are shown a QR code and instructed to scan it with their phone’s camera.

There's more. To continue reading this research, please click here.