Ursnif Trojan Was Resurrected and Now It Targets Your Passwords

Sometimes certain infections do not disappear for decades. Cyber criminals manage to customize their malicious codes and use them to steal information and money over and over again. Today we would like to draw your attention to an old banking Trojan infection that has been upgraded and is now making rounds across the cyber world again. Ursnif Trojan is back again, and it calls for heightened caution from corporate and individual users because you can never know when this infection could barge into your system. Our main goal with this blog post is to raise your awareness of such dangerous cyber infections.

What is Ursnif Trojan?

You might be wondering why we are talking about a banking Trojan when our main scope of expertise are passwords and personal information security. Well, the truth is that this banking Trojan does target your passwords, and so we believe it is our duty to tell you about this, even though regular users may not be too eager to find out how to remove a Trojan virus because that's something that should be done with a licensed antispyware tool.

Nevertheless, here is some background information about Ursnif Trojan that we believe you should know. According to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), the Ursnif Trojan is one of the most active versions of the Gozi malware. You may also find it filed under the Dreambot name. Normally, this banking Trojan spreads around via exploit kits, spam email attachments, and malicious links.

The Trojan itself dates all the way back to 2007, but it didn't become widely available until 2010 when the Gozi malware source code was leaked. As a result, the cyber criminals who could get their hands on the code could easily customize the malicious code, which lead to the emergence of many different banking Trojans. These banking Trojans targeted multiple banks, and the threat is still there, more than 12 years after this malware first reared its nasty head.

The Latest Wave of Ursnif Trojan Infections

The latest bout of infections has been spotted by the Cisco Talos Intelligence Group. The group had stated in their blog that they have tracked the information stealer when their own exploit prevention engine alerted them to these infections.

The newest type of this banking Trojan gets distributed via phishing emails. This obviously shows that users allow this malicious infection to enter their computers, and then they desperately look for methods how to remove a Trojan virus.

These phishing emails come with attached files that look like Microsoft Word documents. Needless to say, it is hard to imagine anything less innocent than a simple MS word file, and thus users do not sense anything dangerous about it. When the targeted users open this document, they see an image that asks them to enable macros. This is already a big red flag because enabled macros are often exploited by banking Trojans and other malware to infect target computers.

Enabled macros launch an obfuscated code that runs several math functions and eventually executes PowerShell. This command connects to the malicious command and control center over a remote server and downloads Unsnif onto the target system. As a result, the Trojan gets installed on the target computer. After that, Ursnif starts scouring the system for banking information, login details, and so on.

Since the actual installation file does not get distributed via phishing email, it is a lot harder to record and track the malicious activity. You might also say that it is easy to avoid getting infected with this banking Trojan because all you have to do is refrain from opening the malicious MS Word file.

However, if we think about a corporate system for a bit and the number of emails that big company employees have to open on a daily basis; it might be easier to understand how Ursnif manages to enter multiple systems worldwide. If opening attached files is a routine, an employee is less likely to pay attention to the suspicious aspects of a newly received email.

Therefore, to avoid racking your brain about how to remove a Trojan virus, it would be a lot more efficient to educate your employees about malware prevention. Some security practices also recommend enforcing a password policy.

If you have complex passwords, it might be difficult for a banking Trojan to crack password files on your computer. Although it cannot prevent the damage of a malware infection 100%, it might still limit it once your system gets compromised. One of the best ways to create and employ complex passwords is by using a password manager. A password manager can help you generate strong passwords and store them in its password vault. It is also a good idea to employ a firewall to block incoming connections that try to connect to services that should not be publicly available. You can always go through a checklist of the security measures you can employ to avoid a banking Trojan on any website that deals with cyber security.

The conclusion is that this banking Trojan favors "fileless" persistence. This makes it hard for antivirus services to spot it in the normal Internet traffic. We can’t even expect that a regular user would be able to invest in security measures that could filter malicious traffic from the usual flow of information. Security experts agree that it is really challenging to stop Ursnif Trojan from getting installed on the target system once the download process has been launched.

If you are running a big network of computer systems, you might want to address professional technicians for more detailed recommendations. We do understand that sometimes smaller companies do not have the funds to invest in cyber security, but even then you should consider educating your employees about the potential cyber threats like this banking Trojan that can be just a click away. It is a lot better to enforce a number of prevention measures than scramble to look for ways to how to remove a Trojan infection later on.