Malware targets manufacturers

Manufacturing is one of the sectors targeted by a new malware variant that is not only able to steal passwords and other sensitive information, but is also capable of infecting files, researchers said.
By Gregory Hale, ISSSource February 2, 2015

Ursnif is the malware used by bad guys to steal passwords and other sensitive information from infected devices, but its variant detected as PE_URSNIF.A-O, is also capable of infecting files, said researchers at Trend Micro.

The United States and the United Kingdom account for 39.35% and 35.51%, respectively, of infections. Researchers also found the malware on computers in Canada (19%) and Turkey (1.92%). Education, financial, and manufacturing are among the sectors impacted by the threat, which ends up distributed via spam messages and Trojan downloaders.

The Ursnif variant analyzed by Trend Micro infects .PDF, .MSI and .EXE files found on removable and network drives. Unlike other similar pieces of malware, which insert malicious code into host files, PE_URSNIF.A-O embeds the host file into its resource section. When one of the infected files ends up executed by the victim, the malware drops the original file and opens it in an effort to avoid raising any suspicion.

Another anti-detection technique leveraged by Ursnif involves sleeping for 30 minutes before starting the infection routine. This helps the threat evade sandboxes, which usually monitor suspicious files for only up to five minutes to see how they behave.

"The fact that a family known for spyware now includes file infectors shows that cybercriminals are not above tweaking established malware to expand its routines," Trend Micro threat response engineer, RonJay Caragay, said in a blog. "The expansion into file infection can also be seen as a strategic one. A different file infector type (e.g., appending) requires a different detection for security solutions; not all solution may have this detection."

IT administrators can protect their networks against such threats by paying attention to the way network shares end up configured. This includes ensuring that computers don’t have full access to the network, and configuring network access to read-only.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on the ISSSource website. ISSSource is a CFE Media content partner. Edited by Joy Chang, Digital Project Manager, Control Engineering, jchang@cfemedia.com.