Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy
The lead researcher on this post was X-Force’s Itzik Chimino. Contributed to this research: Segev Fogel, Amir Gendler and Nethanella Messer.
---
IBM
Trusteer researchers continually monitor the evolution and attack tactics in
the banking sector. In a recent analysis, our team found that an Ursnif (aka
Gozi) banking Trojan variant is being used in the wild to target online banking
users in Italy with mobile malware. Aside from the Ursnif infection on the
victim’s desktop, the malware tricks victims into fetching a mobile app from a
fake Google Play page and infects their mobile device with the Cerberus Android
malware.
The
Cerberus malware component of the attack is used by Ursnif’s operators to
receive two-factor authentication codes sent by banks to their users when
account updates and money transfer transactions are being confirmed in
real-time. Cerberus also possesses other features and can enable the attacker
to obtain the lock-screen code and remotely control the device.
Cerberus
is an overlay-type mobile malware that emerged in mid-2019 but initially lacked
advanced capabilities. It has evolved over time to eventually feature the
ability to hijack SMS content and control devices remotely, alongside other
sophisticated data theft features. Cerberus was peddled in the underground as
commodity malware until the summer of 2020, taking over the market share of
Anubis, a previous pay-per-use malware.
In
September 2020, Cerberus’ development team decided to disband, spurring an
auction attempt that aimed to sell off the source code to the highest bidder,
starting at $100,000. The code did not sell but was instead shared with the
malware’s customer base, which meant it was publicly leaked. That intentional
release of the source code gave rise to numerous malware campaigns involving
Cerberus and likely also led to this combined attack with the Ursnif banking
Trojan.
A Combination Attack From Desktop to Smartphone
Ursnif
is a very long-standing staple in the cybercrime arena, possibly the oldest
banking Trojan that’s still active today. Recent campaigns featuring this
malware have been most notable in Italy, where it is typically delivered to
business email recipients in attachments that purport to carry invoices,
delivery notices or other business correspondence. The infection chain commonly
involves poisoned macros, getting past email controls by featuring productivity
files most organizations use. In some campaigns, the attackers keep access to
the infection zone limited to Italian-based IP addresses only.
Once
infected by the Ursnif malware and upon attempting to access their online
banking account, victims are advised, via web injection, that they won’t be
able to continue to use their bank’s services without downloading a security
app. To obtain that app, they are shown a QR code and instructed to scan it
with their phone’s camera.
There's more. To continue reading this research, please click here.
Comments
Post a Comment