IBM researchers warn about Italian malware distributors that use two malware families – Ursnif and Cerberus – to intercept OTP codes, bypass 2FA, and plant banking Trojans.
According to a report by IBM’s Trusteer team, the Ursnif (aka ‘Gozi’) banking trojan is back in action, as its operators are targeting a wide variety of banking users in Italy. The actors have now incorporated a Trojan nicknamed Cerberus into their attack toolset. The threat actor plants Cerberus on mobile, whereas Ursnif – on desktop, to have a large attack coverage.
Cerberus can obtain two-factor authentication codes in a real-time and fully hijack the device. As IBM researchers note, the Ursnif banking trojan is probably the oldest known banking worm in existence. It has been mostly focused on victims in Italy and is typically delivered via emails to business addresses in attached documents with macros.
Once the user opens the document and allows macros, web injection begins, and they are then urged to download a fake security app. The links used in this step are not Google Play domains. Instead, they are typo-squatted domains that could easily trick users into thinking that they are from Google Play:
Among the two Trojans, the main action is bestowed on Ursnif to compromise the victim’s desktop internet browser and inject arbitrary code into the web pages served to the target.
One of the key actions that Ursnif can do is to automatically replace the transaction-receiving IBAN with their own. This procedure works only if the account has a balance of over €3,000.
The attackers are very adaptive, IBM notes. Actors modify their approach depending on the situation. For instance, they can create a fake maintenance notice to prevent the target from accessing the legitimate site. They also took into account login timeouts and security challenges that may be present on the website that is being spoofed.
IBM researchers advise against downloading apps from outside the Play Store and be extra careful when clicking on URLs inside SMS or email messages. If you receive emails or SMS that claim to be from your bank, stay calm and visit the bank’s website directly via your browser.