Ursnif banking Trojan joins May’s most wanted list

Read time 2min 00sec

Check Point's Global Threat Index for May 2020 found several malicious spam campaigns distributing the Ursnif banking Trojan, causing it to jump up 19 places to number five in the top malware list  – effectively doubling its impact on businesses worldwide.

Ursnif, that also goes by the names Gozi, IFSB and Dreambot, is a high-risk Trojan that once it infiltrates its target, records user-system information, including keystrokes, saved logins and passwords, Web browsing activity, system information, and plenty more.

The Trojan is delivered via malicious spam campaigns in Word or Excel attachments. The new wave of Ursnif attacks – which saw it jump up the Top Malware index - coincides with reports about the demise of one of its popular variants, Dreambot.

Dreambot was first discovered in 2014 and is based on Ursnif’s leaked source code. Since March this year, Dreambot’s backend server has gone down, and no samples of this scourge have been seen in the wild.

While COVID-19-related attacks have fallen, we have seen a 16% increase in overall cyber attacks in May compared to March and April.

Maya Horowitz, Check Point

In addition, the notorious banking trojan Dridex, which entered the malware top 10 for the first time in March 2020, continued to have a notable impact during May, remaining in the number one place for the second month in a row.

The most notable mobile malware families also shifted in May, with Android malware that generates fraudulent revenue from clicking on mobile adverts dominating the mobile index. According to Check Point, this highlights how bad actors are trying to monetise attacks against mobile devices.

Maya Horowitz, director, Threat Intelligence & Research, Products at Check Point, says with the Dridex, Agent Tesla and Ursnif banking Trojans all ranking among the top five malware in May, it is apparent that attackers are focusing on using malware that enables them to cash in on their victim’s data and credentials.

“While COVID-19-related attacks have fallen, we have seen a 16% increase in overall cyber attacks in May compared to March and April, so organisations must remain vigilant by using certain tools and techniques, especially with the mass shift to remote working, which attackers are taking advantage of,” Horowitz ends.

See also