New Ursnif trojan variant uses sneaky CAPTCHA to fool victims and steal information

Trojan horse with dollar sign on a phone screen indicating banking trojan

A new variant of the Ursnif banking trojan, also known as Gozi, is apparently tricking unwary victims and stealing their information by attacking under the guise of a harmless captcha. The report comes from BleepingComputer who had received the information from security researchers at MalwareHunterTeam.

Apparently, when trying to watch a certain embedded YouTube video whose content is related to a violent night in a women's prison in New Jersey via a URL, a file named "console-play.exe", which serves the malware, is downloaded. This happens when you press the play on the said YouTube NJ women's prison video.

Ursnif YouTube video

After that, a fake reCAPTCHA is displayed that asks the user to press certain buttons to prove they aren't a bot. Also since the console-play.exe is an executable file, the browser warns the user of potential malware threats.

However, the reCAPTCHA plays its part here in order to trick the unsuspecting user. It asks the user to press the B, S, Tab, A, F, and finally the Enter keys. And while the B, S, A, and F are simply used as decoys, the Tab key highlights the "Keep" button on the browser malware warning. And once the Enter is placed, the user perhaps unknowingly welcomes the Ursnif trojan-distributing malicious file.

And the video will apparently start playing after this is done making the user proud of themself that they are indeed not a robot.

Ursnif trojan reCAPTCHA test

If the downloaded console-play.exe is run, a folder is created in Roaming under the AppData directory. This folder is named "Bouncy for .NET Helper" and has plenty of decoy files in it other than the main malware containing executable called "BouncyDotNet.exe".

Ursnif BouncyNetexe malware file

Apparently, the BouncyDotNet.exe is able to create the infectious DLL file that helps the Ursnif trojan spread. The trojan can steal information related to credentials and such.

This isn't the first instance of an Ursnif attack this year as Avast reported back in March that the malware had hit over 100 banks in Italy.

Source and images: BleepingComputer

Report a problem with article
The Nokia logo on a multicoloured background
Next Article

Nokia works with UNICEF and Safaricom to help connect Kenyan schools

A Microsoft logo on a grey background with a padlock icon in a circle on the right
Previous Article

Microsoft is driving Zero Trust adoption under recent Presidential Executive Order

6 Comments - Add comment