FORTINET, INC. FortiGuard Labs Threat Research Report
Affected platforms: Microsoft Windows
Impacted parties: Windows Users in Italy
Impact: Collects Victims' Information
Severity level: Critical
Ursnif (also known as Gozi) is identified as a banking Trojan, but its variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.
The Ursnif Trojan has been observed targeting Italy over the past year. A few days ago, FortiGuard Labs detected a phishing campaign in the wild that was spreading a fresh variant of the Ursnif Trojan via an attached MS Word document that is continuously targeting Italy.
Although Ursnif is identified as a banking Trojan, due to its C2 server's shutdown, this latest variant has been unable download the malicious banking module it needs to steal banking information from the victim, causing it to fail to start the second stage of its attack. As a result, in this post I will share my findings around the first stage of this campaign. You will learn what the phishing email looks like, how the MS Word document attached to the email works to download Ursnif, as well as what this variant does on a victim's device.
Ursnif Phishing EmailFigure 1.1 is a screenshot of the Ursnif phishing email. As you can see, it was written in Italian and masquerades as a payment reminder.
Attachments
- Original document
- Permalink
Disclaimer
Fortinet Inc. published this content on 12 January 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 12 January 2021 17:41:01 UTC
