Delaware, USA – October 27, 2017 – Researchers from IBM X-Force shared information about the campaign using a new modification of the banking Trojan Ursnif (Gozi). This September, Adversaries started the campaign that targeted financial institutions in Japan. Ursnif is distributed not only through malicious email attachments but also through malvertising via Rig exploit kit. Currently, this banking Trojan is one of the most prolific all over the world. Its various modifications are used mostly against banks in Europe and the US. The latest version of Ursnif can evade sandboxes: attackers use macros to determine if malware is executing in a sandbox. Also, this Trojan uses macros to execute PowerShell scripts only after the malicious document is closed. Furthermore, researchers reported on another targeted campaign where adversaries leverage this trojan against Australian banks.
One of the distinguishing features of this malware is the use of Tor network for communications with C&C servers. Using Tor often indicates malicious activity, and also this violates security policies, so you need to investigate any connections to this network. Using DetectTor use case and SIEM tool, you will be able to detect any connections to this anonymous network with 100% accuracy and prevent malicious activity before severe damage is caused.