Delaware, USA – November 30, 2017 – Researchers from IBM X-Force discovered a new version of Ursnif banking trojan (also known as Gozi). This version is although created on the basis of the code that was leaked in 2010 and it significantly differs from the other trojans of this family, which allows suggesting that there is a new threat actor behind this attack. The first samples of Ursnif v3 came into researchers’ hands in August, at that time the virus was not yet finished: it did not have full functionality and was simply tested by attackers. In November, threat actor launched a full-fledged attack using Ursnif v3 targeted companies and corporate clients of small banks and credit societies in Australia. The trojan redirects victims to websites on adversaries’ servers and uses web injection technique to steal all the necessary personal information.
Threat actor behind this attack tries not to attract excessive attention, but attacker’s actions are very efficient. Work on upgrading and improving the capabilities of the virus is continuing, it is likely that Australia has become a testing ground for the new hacker group. Redirection attacks are difficult to prevent, but it is possible to detect the process of malware installation with your SIEM, even if the antivirus did not react to such malicious activity. APT Framework for ArcSight, QRadar and Splunk leverages Cyber Kill Chain methodology and allows your SIEM to detect suspicious activity caused by sophisticated malware.