Avast researchers warn that the well-known banking Trojan Ursnif attacked users of banks in Italia and around the world. For several years now, it was spreading through phishing emails written in different languages.
Unlike other bankers, Ursnif is installed on the victim’s device only after downloading the backdoor, allowing attackers to bypass their usual defence mechanisms and gain a high level of access to the system, network, or programs.
Ursnif is a so-called “fileless malware”, that is, it leaves almost no traces on the system.
Since Ursnif is installed after the backdoor and must receive information through the C&C server to activate, it can go unnoticed for hours until it eventually starts malicious activity.
Ursnif is not only capable of stealing banking data, but it can also access some of the victim’s emails and browsers, as well as reach the cryptocurrency wallet.
“The mechanisms for bypassing security tools have been made quite ingeniously. This can be a particularly effective tactic against devices that do not have enhanced security levels, such as detecting suspicious behaviour. These attacks prove once again that humans are the weakest link in the system. It should be remembered that it is dangerous to open emails with attachments from unknown senders and click on links. If the user has already made a mistake and opened the letter, only disabling the macro in the document will help”, – Director of Threat Research at Avast Michal Salat said.
During the analysis, Avast researchers found bank details, billing information, usernames, passwords and credit card details, which, as it turned out, were stolen by Ursnif operators.
See also: How to remove Ursnif Trojan from PC?
The researchers report that Italian banks have been the main target of Ursnif lately: cybercriminals attacked users of more than 100 banks and stole more than 1,700 credentials from just one payment operator.
Avast experts have already notified the banks and payment services that they were able to identify about the attacks, and also informed the Italian CERTFin and government services that process financial information about what is happening.
Let me also remind you that IS specialist told how hackers earned $34 million using the Trickbot malware.
