Discovered by Paris-based security researcher Benkow, the spambot was hosted on a web server in the Netherlands. The accessible server held text files with a massive batch of emails address and passwords. These email servers were used to send spam and are an important part for large-scale spamming operations. Caller “Onliner”, the spambot sends Ursnif banking malware to millions of inboxes and can implement malware if opened. Tory Hunt of breach notification website Have I Been Pwned said it is the largest amount of data he has ever handled: “The one I’m writing about today is 711m records which makes it the largest single set of data I’ve ever loaded into HIBP. Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe.” Benkow has been analyzing the data from months. The Ursnif malware is a trojan that steals data such as login details, passwords, and financial data. Working similar to a phishing scam, an email will be sent with a normal looking attachment. In reality, the attached file is loaded with malware which will download to a machine when it is opened.
Bypassing Spam Folders
One of the important aspects of Ursnif, and the reason why it is popular is because it can bypass email spam filters. These filters are becoming increasingly smart at stopping spam and blacklisting domains that hots spam servers. However, Onliner is sophisticated enough to navigate around spam filters. “It’s difficult to know where those lists of credentials came from,” Benkow says. “I have obviously seen a lot of public leaks (like Linkedin, Baidu or with every passwords in clear text) but credentials can also came from phishing campaigns, credentials stealer malwares like Pony, or they can also be found in a shop.”