Ursnif and Android APPs
In recent weeks, an Ursnif malware campaign has been detected targeting Italian users who utilize online banking services.
Once the victim’s computer is infected, Ursnif waits for the user to connect to their online banking site and through a web injection notifies users that they will no longer be able to use the service unless they download a security app.
This app can be downloaded by scanning the QR code displayed on the page.
When the user scans the QR code with their mobile device, a web browser opens containing a fake Google Play page displaying a logo corresponding to the banking app of the bank the victim originally attempted to access.
The addresses used to host the fake Google Play page exploit typo-squatting to appear legitimate to the user:
- google.servlce.store
- gooogle.services
- goooogle.services
- play.google.servlce.store
- play.gooogle.services
- play.goooogle.services
The downloaded app is actually Cerberus, which, to continue displaying coherent information, takes into account the name of the bank in which the victim attempted to log in.
In the background, the injection associates the phone number entered by the victim with the Ursnif ID assigned to the infected computer, the bank name, and the credentials used by the victim to log in.
Cerberus is used solely as a component to bypass SMS verification codes. The fraudulent transaction itself occurs through the infected computers.
Communication with C2 Servers
Communications with command and control (C2) servers occur through the Jambo script, which communicates with srv_dom, the malware injection server used to manage man-in-the-browser activity. Managed Detection and Response capabilities enable detection of such C2 communications through behavioral analysis and network traffic inspection.
The following commands are used during infection:
| Command | Description |
| ADD_INFO | Send data to C2: token, SMS content, telephone, download an application. |
| ASK | Send communication to the C2. |
| GET_DROP | Check account balance on the victim’s bank account. |
| GOOD_TRF | Attempt to initiate a money transfer transaction. |
| LOGIN | Send victim’s login information to attacker’s C2 server. |
| PING | Check if the infected machine is currently online. |
IBAN Substitution
Ursnif seeks to automate transactions originating from the browser. To accomplish this, it performs a substitution between the IBAN and BIC of a legitimate transaction with the IBAN of an account controlled by the attacker.
To initiate this flow with the fraudulent transaction, Ursnif must execute a function that must be clicked by the victim. Therefore, it replaces the login button on the original banking page with its own button containing the “hookPay()” function.
Through the “makeTrf” function, the IBAN substitution is executed. The amount is set only if the user’s balance exceeds 3 000 €.
Injections Adapted Based on Security Challenge
Web injections have been adapted based on the security challenge adopted by each target; for example, an injection is executed to instruct the victim to enter the number displayed on the physical token.
Alternatively, the victim is asked to enter the code sent via SMS within 90 seconds.
A loading GIF is then displayed to the victim.
To prevent user action, a maintenance notice is shown, preventing the victim from accessing their account from the infected device.
IOCs
C2 Servers
*/statppaa/*
hxxp://sanpoloanalytics[.]org/pp_am/
*/statmoflsa/*
hxxp://sanpoloanalytics[.]org/lancher/
MD5 Gozi: b6921ce0f1b94a938acb6896cc8daeba
MD5 Cerberus + APK:
40b8a8fd2f4743534ad184be95299a8e17d029a7ce5bc9eaeb28c5401152460d
Phishing domains and C&C servers:
C&C:
hxxps://ecertificateboly.us/lancher/
hxxp://sanpoloanalytics.org/lancher/
Phishing:
hxxps://play.google.servlce.store/store/apps/details.php?id=it.phoenixspa.inbank
hxxps://play.gooogle.services/store/apps/details.php?id=com.paypal.android.p2pmobile
hxxps://google.servlce.store
hxxps://gooogle.services
hxxps://goooogle.services
hxxps://play.google.servlce.store
hxxps://play.gooogle.services
hxxps://play.goooogle.services
IP addresses:
SOCKS Proxy:
37.120.222.138:9955
VNC:
194.76.225.91
