Researchers from Proofpoint are reporting on a new version of the Ursnif banking trojan that has suffered a change in its source code and now uses servers hosted on the Tor anonymous network to hide its command and control infrastructure.
Ursnif, also known as Gozi ISFB, is an offshoot of the original Gozi banking trojan that got its source code leaked online in 2014 and on which many other banking trojans were built, such as GozNym.
Ursnif wasn't a one-time Gozi variant but has continued to evolve over the years, constantly receiving new updates.Ursnif Dreambot variant introduced Tor and P2P support
One of these recent updates was detected in July 2016, and Proofpoint researchers nicknamed it Ursnif Dreambot, or just Dreambot.
This variant changed some default behavior in Ursnif's mode of operation. Dreambot dropped the Domain Generation Algorithm (DGA) used to determine the location of the C&C server, and replaced it with hard-coded URLs, one pointing to a URL on the public Internet, and two URLs pointing to Tor-based .onion sites.
Of course, during Dreambot's installation, the trojan downloads and installs the Tor client, in order to contact the C&C servers itself. Proofpoint says it saw this C&C configuration change in Dreambot 2.14.845.
In a later version, the trojan evolved again, and this time, it replaced the Tor-based infrastructure with one that communications via P2P.
Proofpoint notes that its researchers have seen many more Ursnif versions, and all have been used in the wild.Dreambot distributed via both spam and exploit kits
The Ursnif cyber-gang has been as unpredictable in its distribution methods as with its development plans, using multiple techniques to deliver their payloads.
"Dreambot is one of the most active banking Trojans we have seen recently," the Proofpoint staff noted . "For Tor-enabled versions in particular, Dreambot activity on infected machines can be especially hard to detect at the network level, creating new challenges for defenders and IT organizations alike."