Good News, URSNIF no longer a Banking Trojan. Bad News, it's now a Backdoor

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
URSNIF, the malware also known as Gozi that attempts to steal online banking credentials from victims' Windows PCs, is evolving to support extortionware.

As one of the oldest banking trojans – dating back to the mid-2000s – the software nasty has a number of variants and been given a few monikers, including URSNIF, Gozi, and ISFB. It's crossed paths with other malware families, had its source code leaked twice since 2016 and, according to Mandiant, is now less a single malware family than a "set of related siblings." It's also seen its alleged masterminds get hauled into US courts. The last of them was extradited this year from Colombia, where he fled after being released on bail following his arrest in Romania in 2012. Whoever's still behind URSNIF is following the path worn by developers of other malware families, such as Emotet, TrickBot, and Qakbot, which shed their banking-info-stealing pasts to become backdoors on infected machines that can be used by miscreants to deliver ransomware and data-stealing payloads.

In a report this week, Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez wrote that a strain of URSNIF's RM3 version is no longer a banking trojan but a generic backdoor, similar to the short-lived Saigon variant. This backdoor can be used to run ransomware, data exfiltration, and other horrible crap on compromised computers.
URSNIF, in its time as a banking malware, caused a lot of problems for financial services institutions and their customers. Upon extraditing to America Mihai Ionut Paunescu, a 37-year-old Romanian who is accused of creating URSNIF, US law enforcement officials said the malware had infected more than a million Windows computers around the globe, including in the United States. They estimated that it caused tens of millions of dollars in losses to government agencies, organizations, and individuals.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top