silversurfer

Level 46
Content Creator
Trusted
Malware Hunter
Verified
A new variant of an infamous banking Trojan malware with a history going back over ten years has emerged with new tactics to ensure it's harder to detect.The malware aims to hunt out financial information, usernames, passwords and other sensitive data.

The Ursnif banking Trojan is one of the most popular forms of information-stealing malware targeting Windows PCs and it has existed in one form or another since at least 2007, when the its code first emerged in the Gozi banking Trojan.

It has become highly popular in recent years after the source code was leaked to GitHub, allowing cyber criminals across the world to take it and add new features to the malware.

Now researchers at security company Cybereason have uncovered a new, previously undocumented version of Ursnif which applies different, stealthier infection tactics than other campaigns.

This includes what researchers refer to as "last minute persistence" - a means of installing the malicious payload which tries to ensure a lower chance of being uncovered.

"The "last minute persistence" is a very clever and stealthy mechanism, where the malware will write its persistence key and files just before the system shuts down, so it's not present on the disk for more than few seconds while the machine is turned on," said Assaf Dahan, senior director of threat hunting at Cybereason.
 

sepik

Level 2
Maybe a malware can do the same, when it comes to modifying firewall settings during system shut down?
In ZoneAlarm Firewall Pro there's in an option to "Enable Timing Attack Prevention - prevents malicious programs from exploiting kernel timing vulnerabilities for execution of untrusted code"
Timing Attack = Just before system shut down, i think.
-sepik