In October, the RSA revealed that cybercriminals were planning to launch massive Trojan attacks against several UK banks. Now, Trend Micro researchers have analyzed a few samples of the malware that will likely be utilized in the Gozi-Prinimalka campaign.
One of the samples, BKDR_URSNIF.B, is designed to monitor its victims’ browsing activities and collect any information that’s related to financial institutions such as Wells Fargo, PayPal and Wachovia.
Another sample, BKDR_URSNIF.DN, is even more interesting. It starts by searching for a specific Firefox registry entry.
If this entry is found, a file that drops JS_URSNIF.DJ is created. If the registry is not located, the malware doesn’t steal any information, but it still performs its other malicious tasks.
Once the information is harvested, it sends it back to its master via HTTP POST requests.
According to the researchers, several command and control (C&C) servers are utilized by these pieces of malware.
Interestingly, experts have managed to retrieve the names of three additional targets by analyzing the malware’s configurations files.
TDBank, Firstrade Securities and optionsXpress are on the list of targets. All of the institutions have been notified and, hopefully, they’ll be able to take some measures to protect their customers.
“Data exfiltration exhibited by Gozi and other banking Trojans like ZeuS is a continuing thorn in the sides of banking and financial institutions because this is ‘where the money is’,” Trend Micro Threat Research Manager Ivan Macalintal explained
“These sites are also considered as low-hanging fruits for cyber-criminals to take advantage of and exploit. Not only can regular online accounts by end users be targeted by these attacks, but also corporate and business accounts by small-medium businesses and even those by large enterprises.”