Avast reported on Tuesday that the Ursnif Trojan has been used in attacks against at least 100 banks in Italy leading to the loss of credentials and financial data.
The antivirus company says cybercriminals have a keen interest in Italian targets with at least 1,700 credentials stolen from a single payment processor.
Based on information gathered by the researchers, the cybersecurity firm said on Tuesday Ursnif Trojan has targeted at least 100 banks, among the targets was CERTF in Italy, a financial services data exchange belonging to the Bank of Italy and the Italian Banking Association.
Avast says usernames, passwords, and credit card and other payment information have been harvested by the attackers using the Ursnif Trojan.
Ursnif was first used in the wild in 2007 as a simple banking Trojan. Subsequently, its code was leaked on GitHub and has since been upgraded by other malware authors. Mow it’s more sophisticated and has also been spotted as part of the Gozi banking malware.
Ursnif is used to steal financial data and account credentials and usually is spread in phishing emails, often as invoice requests.
Ursnif is known to be used by Russia-linked hackers. In one campaign in 2020 analyzed by Darktrace, cyber defense company, the malware was used in an attack against a US bank. Attackers sent a phishing email to an employee who opened an infected attachment and downloaded an executable file with a benign .cab extension.
This file communicated with command-and-control (C2) servers registered in Russia – but a day prior to the launch of the campaign, therefore, the attackers’ IPs were not blacklisted at the time of infection.
Darktrace also spotted the malware in attacks against organizations in the US and Italy.
Avast has alerted Italian banks about its findings.