The Banking Trojan that Uses the 711 Million Exposed Email Addresses: Why You Should Be Concerned


If you haven’t yet checked to see if your email address was compromised in the recent password exposure, go and do it now. You can type in your email address here. This will give you the dumps that your email was found in. Keep in mind that even the site’s owner, Troy Hunt, was surprised to see that his own email was listed.

I told some friends that I had found their email addresses listed in the latest leak. Most were thankful, but some thought that if their password was not exposed, they were safe. After all, what could a hacker do with only an email address? The answer is: Many evil things. These email addresses serve as a starting point for well-designed spamming attacks that attempt to deliver the Ursnif banking Trojan (aka Gozi, Dreambot) and have the potential to be used in ransomware attacks.

ursnif severe

Of course, all such attacks begin with an email that has to look legitimate enough to get itself opened. Ideally, the attackers would like the email to avoid the spam filter and get into the victim’s inbox. I’ll detail some of these techniques in a future post. For now, it’s just necessary to note that Ursnif is pretty standard in its delivery approach except for a few variations. In its mass email spamming campaign, the senders need to know which addresses are most susceptible to an attack. They will first send out a test email to check out the victim. These test emails include a single-pixel beacon within the email. If the email is opened by the intended victim, this invisible pixel informs the attacker. The beacon also sends back other useful information, such as IP address, network and device information, and what operating system the victim is using. This is important in that Ursnif targets Windows systems. The beacon activates if the potential victim has images enabled in their emails. Spam filters sometimes find these beacons and remove the associated images from an email or send the email to the spam folder. It should be noted that legitimate email marketers also use beacons to help their clients track the success of their marketing campaigns.

If the test email reveals a potential victim, the attacker will target them more precisely in a subsequent email. They may, for example, have learned which company the victim works for and construct an email that may seem to come from someone within their company. The subject line may be about a payment, invoice, or contain a known person’s name, as in the example below given by Forcepoint.

ursnif email

Notice that the email contains the password for opening an attached Word document. This may make the victim (and spam filter) less suspicious. The victim may decide to download the document and take a look at it. As is usually the case, the attacker tries to get the user to enable macros in Word. They do this in a somewhat creative way by using the interface shown below.

ursnif doc open

If the victim clicks on any of the documents shown, the attack will begin. There will be no need to wait for the victim to enable macros. That’s because these files are not what they seem to be. They are all the same VBS script designed to look like Word documents.

Once triggered, the script is designed to connect to the internet and download the main malware package. The malware will store itself in a %Temp% folder. It will begin the attack by checking to see if the device is running a sandbox. To this end, the malware also analyzes mouse movements. A mouse that doesn’t move is more likely using a sandbox. Another technique for avoiding sandbox detection is for the malware to check what processes are running. If it finds a sandbox-related process, it will not deploy.

If the system checks out as safe for the malware to operate, it will set up an autorun key in the registry, which will guarantee its persistence at every startup. The original downloaded file will then be deleted and the malware will try to hide within a legitimate process such as explorer.exe or svchost.exe.

Once installed, the malware will then establish an internet connection with its command and control (C&C) server. It is now ready to gather important banking, credit card, or other information. It does that by using the following.

A keylogger, to record users’ keystrokes

Video and screen capturing, to follow what the user is doing when they visit their banking site in case the victim uses a mouse to login (they can watch them enter their credentials)

An information stealer, to obtain browser passwords, browser history, email, and other important data,

Man-in-the-browser and Web injects, to help them gather other personal and financial information

Tor client, to use a more hidden way to connect to the C&C (this could also be useful in some ransomware attacks)

VNC client, to remotely administer a device

True, many spamming attacks are stopped by either good spam filters or wary users. However, with 711 million email addresses at their disposal, the attacker only needs a small percentage to work to launch a successful campaign. In addition, the malware is continuously evolving with attack vectors changing all the time. The examples shown are a few of many. Its increasing sophistication in using more targeted emails (spearphishing) makes this trojan more likely to succeed than others in its class. So does it matter that an attacker only has your email address? You be the judge.

2 thoughts on “The Banking Trojan that Uses the 711 Million Exposed Email Addresses: Why You Should Be Concerned

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s