Name: Quratulain Islam

SAP: 22066
Assignment 1 (a,b,c)

To: Sir Tariq Khan

Course: Programming for security professionals

Date: 04/04/2021

Security domain
A security domain is the determining factor in the classification of an
enclave of servers/computers. A network with a different security
domain is kept separate from other networks.
Examples: NIPRNet, SIPRNet. JWICS, NSANet are all kept separate. A
security domain is considered to be an application or collection of
applications that all trust a common security token for authentication,
authorization or session management. Generally speaking, a security
token is issued to a user after the user has actively authenticated with a
user ID and password to the security domain.

Internet security:
Internet security consists of a range of security tactics for protecting
activities and transactions conducted online over the internet. These
tactics are meant to safeguard users from threats such as hacking into
computer systems, email addresses, or websites; malicious software that
can infect and inherently damage systems; and identity theft by hackers
who steal personal data such as bank account information and credit
card numbers. Internet security is a specific aspect of broader concepts
such as cybersecurity and computer security, being focused on the
specific threats and vulnerabilities of online access and use of the
internet.
Internet security involves the protection of information that is sent and
received in browsers, as well as network security involving web-based
applications. These protections are designed to monitor incoming
internet traffic for malware as well as unwanted traffic. This protection
may come in the form of firewalls, antimalware, and antispyware.

Computer security:
Computer security deals with the protection of computer systems and
information from harm, theft, and unauthorized use. The main reason
users get attacked frequently is that they lack adequate defenses to
keep out intruders, and cybercriminals are quick to exploit such
weaknesses. Computer security ensures the confidentiality, integrity,
and availability of your computers and their stored data.
The security precautions related to computer information and access
address four major threats:
 theft of data, such as that of military secrets from government
computers;
 vandalism, including the destruction of data by a computer virus;
 fraud, such as employees at a bank channeling funds into their own
accounts; and
 invasion of privacy, such as the illegal accessing of protected
personal financial or medical data from a large database.

Goals in computer security:

These are the three goals in computing Security.
1.Confidentiality
2.Integrity
3. Availability

Notable computer security attacks and breaches

Stuxnet attack
The computer worm known as Stuxnet reportedly ruined almost one-
fifth of Iran's nuclear centrifuges by disrupting industrial programmable
logic controllers (PLCs) in a targeted attack generally believed
to have been launched by Israel and the United States although neither
has publicly acknowledged this.
Target and Home Depot breaches
In 2013 and 2014, a Russian/Ukrainian hacking ring known as "Rescator"
broke into Target Corporation computers in 2013, stealing roughly 40
million credit cards, and then Home Depot computers in 2014, stealing
between 53 and 56 million credit card numbers.[73] Warnings were
delivered at both corporations, but ignored; physical security breaches
using self-checkout machines are believed to have played a large role.
"The malware utilized is absolutely unsophisticated and uninteresting,"
says Jim Walter, director of threat intelligence operations at security
technology company McAfee – meaning that the heists could have easily
been stopped by existing antivirus software had administrators
responded to the warnings. The size of the thefts has resulted in major
attention from state and Federal United States authorities and the
investigation is ongoing.

Network security:-
As cyber security is concerned with outside threats, network security
guards against unauthorized intrusion of your internal networks due to
malicious intent.
Network security ensures that internal networks are secure by
protecting the infrastructure and inhibiting access to it.
To help better manage network security monitoring, security teams are
now using machine learning to flag abnormal traffic and alert to threats
in real time. Network administrators continue to implement policies and
procedures to prevent unauthorized access, modification and
exploitation of the network.
Common examples of network security implementation:
 extra logins
 new passwords
 application security
 antivirus programs
 antispyware software
 encryption
 firewalls
 Monitored internet access


Cyber warfare:-
Cyber warfare involves the actions by a nation-state or international
organization to attack and attempt to damage another nation's
computers or information networks through, for example, computer
viruses or denial-of-service attacks. Future wars will see hackers using
computer code to attack an enemy's infrastructure, fighting alongside
troops using conventional weapons like guns and missiles.A shadowy
world that is still filled with spies, hackers and top secret digital weapons
projects, cyberwarfare is an increasingly common -- and dangerous --
feature of international conflicts.

Cyberwarfare can take many forms, including:

 viruses, computer worms and malwarethat can take down water
supplies, transportation systems, power grids, critical infrastructure
and military systems;
 denial-of-service (DoS) attacks, cybersecurity events that occur when
attackers take action that prevents legitimate users from accessing
targeted computer systems, devices or other network resources;
 hacking and theft of critical data from institutions, governments and
businesses; and
 ransomwarethat holds computer systems hostage until the victims
pay ransom.

Mobile security
Mobile security involves protecting both personal and business
information stored on and transmitted
from smartphones, tablets, laptops and other mobile devices. The term
mobile security is a broad one that covers everything from protecting
mobile devices from malware threats to reducing risks and securing
mobile devices and their data in the case of theft, unauthorized access
or accidental loss of the mobile device.
Mobile security also refers to the means by which a mobile device
can authenticate users and protect or restrict access to data stored on
the device through the use of passwords, personal identification
numbers (PINs), pattern screen locks or more advanced forms of
authentication such as fingerprint readers, eye scanners and other forms
of biometric readers.
Mobile security solutions and apps are available from a wide array of
vendors for all of the popular mobile operating systems,
including iOS for iPhones and iPads, Google s Android platform and
Microsoft s Windows Phone.
Mobile security is closely related to mobile device management (MDM),
which is a term that specifically applies to protecting mobile devices in
the enterprise or business environments from loss or theft, as well as
protecting the data on these devices.

Attacks based on communication

Attack based on SMS and MMS
Some attacks derive from flaws in the management of SMS and MMS.
Some mobile phone models have problems in managing binary SMS
messages. It is possible, by sending an ill-formed block, to cause the
phone to restart, leading to the denial of service attacks. If a user with
a Siemens S55 received a text message containing a Chinese character, it
would lead to a denial of service. In another case, while the standard
requires that the maximum size of a Nokia Mail address is 32 characters,
some Nokia phones did not verify this standard, so if a user enters an
email address over 32 characters, that leads to complete dysfunction of
the e-mail handler and puts it out of commission. This attack is called
"curse of silence". A study on the safety of the SMS infrastructure
revealed that SMS messages sent from the Internet can be used to
perform a distributed denial of service (DDoS) attack against the mobile
telecommunications infrastructure of a big city. The attack exploits the
delays in the delivery of messages to overload the network.
Another potential attack could begin with a phone that sends an MMS to
other phones, with an attachment. This attachment is infected with a
virus. Upon receipt of the MMS, the user can choose to open the
attachment. If it is opened, the phone is infected, and the virus sends an
MMS with an infected attachment to all the contacts in the address
book. There is a real-world example of this attack: the
virus Commwarrior uses the address book and sends MMS messages
including an infected file to recipients. A user installs the software, as
received via MMS message. Then, the virus began to send messages to
recipients taken from the address book.

Threat
Threat is a potential negative action or event facilitated by a vulnerability that
results in an unwanted impact to a computer system or application.

Types of Threats
Threats can be classified into four different categories; direct, indirect,
veiled, conditional.
 A direct threat identifies a specific target and is delivered in a
straightforward, clear, and explicit manner.
 An indirect threat tends to be vague, unclear, and ambiguous. The
plan, the intended victim, the motivation, and other aspects of the
threat are masked or equivocal.
 A veiled threat is one that strongly implies but does not specifically
threaten violence.
 A conditional threat is the type of threat often seen in extortion
cases. It warns that a violent act will happen unless certain demands
or terms are met.
Vulnerability
A vulnerability is a weakness in hardware, software, personnel or
procedures, which may be exploited by threat actors in order to achieve
their goals.
Vulnerabilities can be physical, such as a publicly exposed networking
device, software-based, like a buffer overflow vulnerability in a browser,
or even human, which includes an employee susceptible to phishing
attacks.
The process of discovering, reporting and fixing vulnerabilities is
called vulnerability management. A vulnerability, to which fix is not yet
available, is called a zero-day vulnerability.

Malware
Malware, short for malicious software, is a blanket term for viruses,
worms, trojans and other harmful computer programs hackers use to
wreak destruction and gain access to sensitive information.Malware is
malicious software that enables unauthorized access to networks for
purposes of theft, sabotage, or espionage. There are many types of
malware, and many cyberattacks use a combination of several types to
achieve their goals.
Malware is usually introduced into a network through phishing,
malicious attachments, or malicious downloads, but it may gain access
through social engineering or flash drives as well.

Denial of Service
The goal of denial-of-service attacks is not to gain unauthorized access to
machine or data, but to prevent legitimate users of a service from using
it. A denial-of-sevice attack can come in many forms. Attackers may
"flood" a network with large volume of data or deliberately consume a
scare or limited resource, such as process control blocks or pending
network connections. They may also disrupt physical components of the
network or manipulate data in transit, including encrypted data.

There are two general methods of DoS attacks: flooding services or

crashing services. Flood attacks occur when the system receives too
much traffic for the server to buffer, causing them to slow down and
eventually stop. Popular flood attacks include:
Buffer overflow attacks – the most common DoS attack. The concept is
to send more traffic to a network address than the programmers have
built the system to handle. It includes the attacks listed below, in
addition to others that are designed to exploit bugs specific to certain
applications or networks

ICMP flood – leverages misconfigured network devices by sending

spoofed packets that ping every computer on the targeted network,
instead of just one specific machine. The network is then triggered to
amplify the traffic. This attack is also known as the smurf attack or ping
of death.

SYN flood – sends a request to connect to a server, but never completes

the handshake. Continues until all open ports are saturated with
requests and none are available for legitimate users to connect to.
An additional type of DoS attack is the Distributed Denial of Service
(DDoS) attack. A DDoS attack occurs when multiple systems orchestrate
a synchronized DoS attack to a single target. The essential difference is
that instead of being attacked from one location, the target is attacked
from many locations at once.

Logic Bombs
It is an oldest type of program threat. The code embedded in some
legitimate program'that is set to "explode" when certain conditions are
met. Different conditions can be used as trigers are presence or
absesnce of certain files, a particulr data or day of the week, a particular
user running that applications. After triggering it may alter or delete data
or entire files, because of a machine halt.

For example a computer programmer may insert code into a payroll

program that deletes files if her name is not found on the list. In other
words the files will be deleted if she is ever fired.
Other viruses, called time bombs, may only detonate on a specific date
or time.

Logic bombs can be programmed to perform a variety of malicious

activities, some of which include the following:
 Delete data
 Steal data
 Corrupting data
 Consume system resources
 Restrict or prevent user access
 Create backdoors for hackers

Payload
A payload refers to the component of a computer virus that executes a
malicious activity. Apart from the speed in which a virus spreads, the
threat level of a virus is calculated by the damages it causes. Viruses with
more powerful payloads tend to be more harmful.
Although not all viruses carry a payload, a few payloads are considered
extremely dangerous. Some of the examples of payloads are data
destruction, offensive messages and the delivery of spam emails
through the infected user's account.
A payload is also known as a destructive payload.

Backdoor
It is a secret entry point into a program, which allows access without
going through the usual security access procedure. Programmers use
this to debug and test programs. It is a code that recognizes some
special sequence of input or is triggered by being run from a certain user
ID. It is difficult to implement operating system controls for backdoors
“A backdoor refers to any method by which authorized and
unauthorized users are able to get around normal security measures and
gain high level user access (aka root access) on a computer system,
network, or software application.”
In one example of backdoor malware, cybercriminals hid malware inside
of a free file converter. No surprise—it didn't convert anything. In fact,
the download was designed solely to open up a backdoor on the target
system. In another example, cybercriminals hid backdoor malware
inside of a tool used for pirating Adobe software applications (let that be
a lesson on software piracy). And in one final example, a seemingly
legitimate cryptocurrency ticker app called CoinTicker worked as
advertised, displaying information about various forms of
cryptocurrency and markets, but it also opened a backdoor.

“Backdoors were the fourth most common threat detection in 2018 for
both consumers and businesses—respective increases of 34 and 173
percent over the previous year.”

Trojan Horse
It is hidden piece of code like a virus. The main purpose of virus is to
make some sort of modification to the target computer or network,
whereas a Trojan horse atempts to reveal confidential information to an
attacker. The name Trojan Horse is due to the Greek soldiers, who hide
inside a large hose, which was pulled by Troy citizens, unaware of its
contents.A program that is often confused with viruses is a 'Trojan horse'
program. This is not a virus, but simply a program (often harmful) that
pretends to be something else. For example, you might download what
you think is a new game; but when you run it, it deletes files on your
hard drive. Or the third time you start the game, the program E-mails
your saved passwords to another person.
Trojans themselves are a doorway. Unlike a worm, they need a host to
work. Once you’ve got the Trojan on your device, hackers can use it to…
 Delete, modify and capture data
 Harvest your device as part of a botnet
 Spy on your device
 Gain access to your network

Trojan Example:
Emotet is a sophisticated banking trojan that has been around since
2014. It is hard to fight Emotet because it evades signature-based
detection, is persistent, and includes spreader modules that help it
propagate. The trojan is so widespread that it is the subject of a US
Department of Homeland Security alert, which notes that Emotet has
cost state, local, tribal and territorial governments up to $1 million per
incident to remediate.

Virus
A virus is a program code that inserts itself into one or more files and
then performs (possibly null) some actions. The instruction in a program
code are nothing but the recipe for making perfect copies of itself. Thus,
whenever the infected computer comes in contact with an uninfected
piece of software, a fresh copu of the virus passes into the new program.
Virus can infect program files, boot sectors, hard drive partition tables,
data files, memory, macro routines and scripting files. After deleting all
files from the current user's computer, the virus self progates by sending
its code to all users whose email addresses are stored in the current
user's address book. A virus can do anything like other programs. The
difference is that it attaches program is run.
Viruses vs Trojans 
A virus cannot execute or reproduce unless the app it has infected is
running. This dependence on a host application makes viruses different
from trojans, which require users to download them, and worms, which
do not use applications to execute. Many instances of malware fit into
multiple categories: for instance, Stuxnet is a worm, a virus and a
rootkit.

Ransomware
Ransomware is a type of malware that encrypt or lock data of a victim's
computer. Then it demands the some bitcoin to give the access key or
other software to unlock or decrypt victim's data. The motive for
ransomware attacks is nearly always monetary, and unlike other types of
attacks, the victim is usually notified that an exploit has occurred and is
given instructions for how to recover from the attack. Payment is often
demanded in a virtual currency, such as bitcoin, so that the
cybercriminal's identity isn't known.
 To reduce the risk of ransomware attacks…
 Always keep your Operating System up to date
 Keep your Anti-Virus software up to date
 Back-up your most important files
 Don’t open attachments from unknown sources (WannaCry was
spread via a .js attachment)

Ransomware Example:
This year, the city of Baltimore was hit by a type of ransomware named 
RobbinHood, which halted all city activities, including tax collection,
property transfers, and government email for weeks. This attack has cost
the city more than $18 million so far, and costs continue to accrue. The
same type of malware was used against the city of Atlanta in 2018,
resulting in costs of $17 million.

Spyware
Spyware collects information about users’ activities without their
knowledge or consent. This can include passwords, pins, payment
information and unstructured messages.
The use of spyware is not limited to the desktop browser: it can also
operate in a critical app or on a mobile phone.
Spyware Example:
DarkHotel, which targeted business and government leaders using hotel
WIFI, used several types of malware in order to gain access to the
systems belonging to specific powerful people. Once that access was
gained, the attackers installed keyloggers to capture their targets
passwords and other sensitive information.

Worms
Worms target vulnerabilities in operating systems to install themselves
into networks. They may gain access in several ways: through backdoors
built into software, through unintentional software vulnerabilities, or
through flash drives. Once in place, worms can be used by malicious
actors to launch DDoS attacks, steal sensitive data, or conduct
ransomware attacks.
Once a worm has installed itself into your computer’s memory, it starts
to infect the whole machine and in some cases… your whole network.
Depending on the type of worm and your security measures, they can do
serious damage. These parasitic nasties can…
 Modify and delete files
 Inject malicious software onto computers
 Replicate themselves over and over to deplete system resources
 Steal your data
 Install a convenient backdoor for hackers

Worm Example:
Stuxnet was probably developed by the US and Israeli intelligence forces
with the intent of setting back Iran’s nuclear program. It was introduced
into Iran’s environment through a flash drive. Because the environment
was air-gapped, its creators never thought Stuxnet would escape its
target’s network — but it did. Once in the wild, Stuxnet spread
aggressively but did little damage, since its only function was to interfere
with industrial controllers that managed the uranium enrichment
process.

Rootkits
A root kit is software that gives malicious actors remote control of a
victim’s computer with full administrative privileges. Rootkits can be
injected into applications, kernels, hypervisors, or firmware. They spread
through phishing, malicious attachments, malicious downloads, and
compromised shared drives. Rootkits can also be used to conceal other
malware, such as keyloggers.
Rootkit Example:
Zacinlo infects systems when users download a fake VPN app. Once
installed, Zacinlo conducts a security sweep for competing malware and
tries to remove it. Then it opens invisible browsers and interacts with
content like a human would — by scrolling, highlighting and clicking. This
activity is meant to fool behavioral analysis software. Zacinlo’s payload
occurs when the malware clicks on ads in the invisible browsers. This
advertising click fraud provides malicious actors with a cut of the
commission.

Bootkit
A bootkit is a type of malicious infection which targets the Master Boot
Record located on the physical motherboard of the computer.  Attaching
malicious software in this manner can allow for a malicious program to
be executed prior to the loading of the operating system.
The primary benefit to a bootkit infection is that it cannot be detected
by standard operating systems processes because all of the components
reside outside of the Windows file system.
Bootkit infections are on the decline with the increased adoption of
modern operating systems and hardware utilizing UFEI and Secure Boot
technologies.
Bootkits are an advanced form of rootkits that take the basic
functionality of a rootkit and extend it with the ability to infect
the master boot record (MBR) or volume boot record (VBR) so that the
bootkit remains active even after a system reboot.
Bootkits are designed to not only load from the master boot record but
also remain active in the system memory from protected mode through
the launch of the operating system and during the computer s active
state.
Three highly publicized examples of bootkits are the Stoned Bootkit,
Evil Maid Attack and Alureon.

Keyloggers
A keylogger is a type of spyware that monitors user activity. Keyloggers
have legitimate uses; businesses can use them to monitor employee
activity and families may use them to keep track of children’s online
behaviors. However, when installed for malicious purposes, keyloggers
can be used to steal password data, banking information and other
sensitive information. Keyloggers can be inserted into a system through
phishing, social engineering or malicious downloads.
Keylogger Example:
A keylogger called Olympic Vision has been used to target US, Middle
Eastern and Asian businessmen for business email compromise (BEC)
attacks. Olympic Vision uses spear-phishing and social engineering
techniques to infect its targets’ systems in order to steal sensitive data
and spy on business transactions. The keylogger is not sophisticated, but
it’s available on the black market for $25 so it’s highly accessible to
malicious actors.

Eavesdropping
An eavesdropping attack, also known as a sniffing or snooping attack, is a
theft of information as it is transmitted over a network by a
computer, smartphone, or another connected device.
The attack takes advantage of unsecured network communications to
access data as it is being sent or received by its user.
Attacker observes traffic on your system and the work you are doing.
The attacker can monitor you in three ways: 
Email monitoring
Which websites you visit
What items you download

Exploits
“Exploits are accidental software vulnerabilities used to gain access to
your computer and, potentially, deploy some sort of malware….
Backdoors, on the other hand, are deliberately put in place by
manufacturers or cybercriminals to get into and out of a system at will.”
Exploit is a piece of software, a chunk of data, or a sequence of
commands that takes advantage of a bug or vulnerability to cause
unintended or unanticipated behavior to occur on computer software,
hardware, or something electronic (usually computerized). Such
behavior frequently includes things like gaining control of a computer
system, allowing privilege escalation, or a denial-of-service (DoS or
related DDoS) attack.

Screen scraper
A screen scraper is a form of malware capable of taking screenshots or
gathering data from the visible desktop to send them back to its
controller. under normal circumstances, a legacy application is either
replaced by a new program or brought up to date by rewriting the
source code. In some cases, it is desirable to continue using a legacy
application but the the lack of availability of source code, programmers
or documentation makes it impossible to rewrite or update the
application. In such a case, the only way to continue using the legacy
application may be to write screen scraping software to translate it into
a more up-to-date user interface. Screen scraping is usually done only
when all other options are impractical.

The screen scraping application must usually do both of the following:

 Capture screen input and pass it on to the legacy application for
processing
 Return data from the application to the user and display it properly
on the user's screen
For example, screen scraper software is available to take the output
from a legacy application running on an IBM mainframe and use it as
input for an application running on a PC.

Pattern of virus:
A virus cannot be completely invisible. Code must be stored somewhere,
and the code must be in memory to execute. Moreover, the virus
executes in a particular way, using certain methods to spread. Each of
these characteristics yields a telltale pattern, called a signature, that can
be found by a program that looks for it.

Storage Patterns
Most viruses attach to programs that are stored on media such as disks.
The attached virus piece is invariant, so the start of the virus code
becomes a detectable signature. The attached piece is always located at
the same position relative to its attached file. For example, the virus
might always be at the beginning, 400 bytes from the top, or at the
bottom of the infected file. Most likely, the virus will be at the beginning
of the file because the virus writer wants to obtain control of execution
before the bona fide code of the infected program is in charge. In the
simplest case, the virus code sits at the top of the program, and the
entire virus does its malicious duty before the normal code is invoked. In
other cases, the virus infection consists of only a handful of instructions
that point or jump to other, more detailed instructions elsewhere. For
example, the infected code may consist of condition testing and a jump
or call to a separate virus module. In either case, the code to which
control is transferred will also have a recognizable pattern. Both of these
situations are shown in Figure below

A virus may attach itself to a file, in which case the file's size grows. Or
the virus may obliterate all or part of the underlying program, in which
case the program's size does not change but the program's functioning
will be impaired. The virus writer has to choose one of these detectable
effects.

 
The virus scanner can use a code or checksum to detect changes to a file.
It can also look for suspicious patterns, such as a JUMP instruction as the
first instruction of a system program (in case the virus has positioned
itself at the bottom of the file but is to be executed first, as in Figure 3-
9).

 
Execution Patterns
A virus writer may want a virus to do several things at the same time,
namely, spread infection, avoid detection, and cause harm. These goals
are shown in Table below along with ways each goal can be addressed.
Unfortunately, many of these behaviors are perfectly normal and might
otherwise go undetected. For instance, one goal is modifying the file
directory; many normal programs create files, delete files, and write to
storage media. Thus, no key signals point to the presence of a virus.
Most virus writers seek to avoid detection for themselves and their
creations. Because a disk's boot sector is not visible to normal
operations (for example, the contents of the boot sector do not show on
a directory listing), many virus writers hide their code there. A resident
virus can monitor disk accesses and fake the result of a disk operation
that would show the virus hidden in a boot sector by showing the data
that should have been in the boot sector (which the virus has moved
elsewhere).
There are no limits to the harm a virus can cause. On the modest end,
the virus might do nothing; some writers create viruses just to show they
can do it. Or the virus can be relatively benign, displaying a message on
the screen, sounding the buzzer, or playing music. From there, the
problems can escalate. One virus can erase files, another an entire disk;
one virus can prevent a computer from booting, and another can
prevent writing to disk. The damage is bounded only by the creativity of
the virus's author.

Transmission Patterns
 A virus is effective only if it has some means of transmission from one
location to another. As we have already seen, viruses can travel during
the boot process by attaching to an executable file or traveling within
data files. The travel itself occurs during execution of an already infected
program. Since a virus can execute any instructions a program can, virus
travel is not confined to any single medium or execution pattern. For
example, a virus can arrive on a disk or from a network connection,
travel during its host's execution to a hard disk boot sector, reemerge
next time the host computer is booted, and remain in memory to infect
other disks as they are accessed.
 
Example: –
Virus arrives on a diskette or from the network
Travels to a hard disk boot sector
Reemerges when computer is next booted
Remains in memory to infect other deskettes
As technology is continually advancing, so are viruses and malware.
These cybersecurity threats are always evolving and becoming more
dangerous, making it harder for computer users to keep their data
protected.

Latest Malware Attacks

Ursnif Malware

Ursnif malware, also known as Gozi, is one of the most widely spread

banking Trojan. The malware's source code was leaked in 2015 and
made publicly available in Github which enabled other malware authors
to add new features and make further development of the code by
different threat actors. Ursnif can collect system activity of the victims,
record keystrokes, and keep track of network/ browser activity. It
archives the collected data before sending it to the C&C server.

Ursnif malware is effectively delivered through malicious spam

campaigns. This spam attachment is a Microsoft office document that
instructs the user to enable macro. One of the new campaigns of Ursnif
is taking advantage of INPS (Instituto Nazionale Previdenza Sociale), an
entity of the Italian public retirement system. An email circulated with
the manager’s signature and encouraging the recipient to open the
attached excel file. Once opened it requests password (indicated on the
email content) and contacts the URL contained within. From that URL, a
DLL is downloaded to the victim’s machine, which at that point the
malware spreads to infect the system.

latest Global Threat Index for May 2020 has found several malicious
spam campaigns distributing the Ursnif banking trojan, which caused it
to jump up 19 places to 5th in the Top Malware list, doubling its impact
on organizations worldwide.

The Ursnif banking trojan targets Windows PCs and is capable of stealing
vital financial information, email credentials and other sensitive data.
The malware is delivered in malicious spam campaigns via Word or Excel
attachments. The new wave of Ursnif trojan attacks – which saw it enter
the Top Malware index’s top 10 for the first time – coincides with
reports about the demise of one of its popular variants, Dreambot.
Dreambot was first spotted in 2014 and is based on Ursnif’s leaked
source code. However, since March 2020, Dreambot’s backend server
has gone down, and no new Dreambot samples have been seen in the
wild.

Meanwhile, the well-known banking trojan Dridex, which entered the

malware top 10 for the first time in March, continued to have a
significant impact throughout May, remaining in 1st place for the second
month running.The most prevalent mobile malware families also
completely changed in May, with Android malware that generates
fraudulent revenue from clicking on mobile adverts dominating the
mobile index – showing how criminals are trying to monetize attacks
against mobile devices.

Check Point researcher’s warn that with the Dridex, Agent Tesla and
Ursnif banking trojans all ranking in the malware top 5  in May, it is clear
cyber criminals are focusing on using malware that enables them to
monetize their victim’s data and credentials.  While COVID-19-related
attacks have fallen, we have seen a 16% increase in overall cyber-attacks
in May compared to March and April, so organizations must remain
vigilant by using certain tools and techniques, especially with the mass
shift to remote working, which attackers are taking advantage of.

Behaviour

 Steals computer data, computer name, system local, operating

system (OS) version and running processes  
 Steals user credentials, financial and banking information
 Able to communicate with C&C server to download additional
malware components
 Executes backdoor commands from a remote malicious user to
connect to malicious websites for sending and receiving information
Capabilities

 Information Theft
Impact

 Financial Loss - steals banking, digital wallets and cryptocurrency

information
 Violation of user privacy - gathers user credentials on various
applications, logs keystroke and steals user information
 Regional Impact (October 2020)

REGION EUROPE JAPAN AMERICAS APAC N-ASIA AMEA

CUSTOMER CASE COUNT 154 2 1 36 - -

REGION EMEA JAPAN NABU LAR APAC

SPN VSAPI FEEDBACK 1,240 5,416 514 42 2,940

Infection Chain
Sample spam

Sample Attachment
TECHNICAL DETAILS
Behavior
Upon execution, Ursnif checks for the presence of any virtual or
debugging environments; if found, it will show a fake alert message box
with the text, "Error Initializing Client App!". It also performs process
hollowing on svchost.exe or explorer.exe and injects a dll file (client.dll)
based on the system enviornment (whether it is 32- or 64-bit).
Afterwards, it tries to steal multiple pieces of information from the
system and store them in a file. It then connects to a malicious
command and control (C&C) server.

Infection Vector
Ursnif is typically encountered when the user inadvertently opens a
malicious file attachment that arrives via a spam email message.

Files Added

 Create a copy of itself at "%appdata%\[Random_Folder]\

[Dropped_Filename].exe" where "Dropped_Filename" is a
combination of strings taken from %system32% directory
filenames.
 Creates a batch file at "%temp%\[Random_Folder]\
[Random_File].bat" to execute and delete itself.
 Creates a storage file at %temp%\[Random_Hex].bin to store the
stolen data. Stolen data is in cab file format, which is created by
executing makecab.exe. The storage file contains the following
information:
 Installed Device Drivers - Collected by executing
driverquery.exe
 Installed Programs - Collected by executing reg.exe
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Un
install"
 System Information - Collected by executing systeminfo.exe
 Current running process - Collected by executing tasklist.exe
/SVC

Registry Changes
Adds the following registry key to run at startup:
  HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
[Dropped_Filename]:
"%appdata%\[Random_Folder]\[Dropped_Filename].exe
 HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Vars
 HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Files
 HKCU\Software\AppDataLow\Software\Microsoft\{GUID}\Config

Network Activity
It connects to the following server:

 bergesoma[.]com/images/[encryted_data]/[.jpeg|.gif|.bmp]
 polinodara[.]com/images/[encryted_data]/[.jpeg|.gif|.bmp]

Where encrypted_data contains the Username, Compute Name, Version

of Injected process, System IP address and malware specific
configuration details.