Ursnif Trojan Targets Italian Bank Customer DataResearchers Say About 100 Institutions Affected
Payment card information and other data belonging to the customers of at least 100 Italian banks and one payment processor were compromised using the Ursnif banking Trojan, according to Avast Threat Labs.
Avast researchers found usernames, passwords and credit card, banking and payment information that appears to have been stolen from banking customers by the operators of the Ursnif banking Trojan. They did not identify where the information was found. But payment card information is often sold on darknet marketplaces.
"Our research teams have taken this information and shared it with the payment processors and banks we could identify. We've also shared this with financial services information sharing groups such as CERTFin Italy," Avast says, referring to the Italian Financial CERT, which addresses cyber risk in the country's banking industry.
Avast would not say how many individuals' data was exposed but said it found 1,700 records from a single unnamed payment processor.
The Italian Job
Fortinet researcher Xiaopeng Zhang reported in January that Ursnif's operators had been focusing their attention on Italy for about a year.
Avast could not definitively say if the customer data its researchers found was stolen during the operation described by Fortinet or at another time.
Avast would not disclose what information it had passed along to the banks and payment processor other than to say it is sufficient for these organizations to identify and then notify their customers whose data was exposed.
The Ursnif malware, also known as Gozi, is a banking Trojan that over its 14-year life span has been upgraded to deliver backdoors, spyware and file injectors.
Ursnif's Italian operation used a phishing campaign to send emails containing malicious attachments that, if opened, downloaded an information stealer, according to Fortinet. The Ursnif malware is often delivered using the Valak malware loader, the company says (see: Operators Behind Valak Malware Expand Malicious Campaign).
Ursnif collects sensitive information, such as username, computer name and system uptime. This data is formatted into packets and sent to the gang's command-and-control server, according to Avast's security researchers.
The Ursnif Trojan is spyware that monitors traffic using screen capture and keylogging functions and can obtain login credentials stored in browsers and mail applications, security firm Trend Micro noted in a previous report. The malware uses a rootkit component to hide related processes, files and registry information.
Ursnif's creator, Latvian hacker Deniss Calovskis, was extradited from Latvia to the U.S. in 2013 for his role in helping to develop and enhance the Trojan. He pleaded guilty to a single count of conspiracy to commit computer intrusion in September 2015 and was sentenced to time served (see: Analysis: The Impact of Malware Developers' Takedowns).