Different emails but same virus: the timeless Ursnif malware is attacking online bank accounts again
Two dangerous phishing email campaigns, currently running in Italy, attempt to exploit the name of two very famous companies to spread a very dangerous virus. The companies in question are Vodafone and Enel Energia, while the virus is the banking trojan Ursnif, able to empty our bank account.
The fake Vodafone emails have been discovered by security researcher JamesWT, while the ones exploiting Enel's name have been discovered by the Italian cybersecurity company D3Lab, which also collaborates with the Cert, the Computer Emergency Response Team of the Agency for Digital Italy that belongs to the Presidency of the Council of Ministers. Both campaigns are aimed at spreading the Ursnif virus, a trojan that according to Trend Micro is a close relative of Emotet, Gozi, BitPaymer, Dridex and GameOver Zeus. Here's how to recognize fake emails in order to defend yourself from the attack.
Fake Vodafone email with Ursnif virus: how to recognize it
The fake Vodafone email is, between the two, the easiest to recognize because it has a very unbelievable sender: [email protected] The problem is that many users don't read the sender and take the body of the email as real.
Unfortunately, even the text of the message shows the classic signs that should alarm those who receive them. In particular, there are grammatical errors: "As you requested, we have carried out the transfer of your telephone account from the previous operator to Vodafone by activating the Vodafone Ready offer. Attached you can find the file containing the details and costs of the changeover, which will be charged directly on the iban you provide monthly".
The attachment, then, is a file "IlUfY.zipper" equally unbelievable. But if the unlucky user opens the attachment, he finds himself in front of an Excel file with another message inside: "This document is protected. Encrypted by DucuSign. To view the document, click on Enable Edit and then on Enable Content".
Below the message you see the logos of Microsoft, McAfee, Symantec and RSA Security Analytics. In short, a whole package of totally false information to induce the user to click on Enable Modify and Enable Content, which are basically the Office 365 commands to activate the execution of the scripts contained in the file. Scripts that, of course, then start the infection.
Fake Enel Energia email with Ursnif virus: how to recognize it
The second phishing email that has been circulating in these hours, the one in the name of Enel Energia, is instead more polished and refined. The sender is in fact [email protected], which is just as fake but much more credible than the previous one. The subject of the email is a great classic: "Payment reminder".
The body of the email is in good Italian, without any error, and mentions some unpaid past due bills. In practice, it's a reminder to pay Enel Energia bills, for a total of several hundred euros.
There is no lack of data and methods for payment, the usual attachment and links to the Enel website. In this case, therefore, it is easier to fall into the trap because there are no obvious signs that the email is fake.
Ursif: why it is a very dangerous virus
Both emails carry the Ursif malware. It is one of the most popular banking trojans in Italy (which means, unfortunately, that it is also one of the most effective).
When Ursnif is executed, it first checks for the presence of any virtual or debug environments, to understand whether it is free to operate or not. If so, it displays a warning message with the text "Client app initialization error!"
Then it attacks the two system processes svchost.exe and explorer.exe, injecting the malicious code inside them. At this point it tries to steal as much information as possible from the system and stores it in a file. Then it connects to a malicious command and control server (C&C) from which it downloads additional viruses.
Once it has taken over the system Ursnif can spy on the user in an extremely effective way, stealing login data from all online accounts. This data is sent to the remote server and if these accounts include those for accessing online banking accounts, then it's all over: the victim will soon find himself with large account balances.