Trojan-Spy.Win32.Ursnif

Trojan-Spy.Win32.Ursnif is a banking Trojan written using Microsoft Visual C++. Also known as IAP, ISFB, Gozi, Rovnix, and Papras. Information for contacting command-and-control servers is either hard-coded in the Trojan itself or generated based on the current date and system configuration. Works with 32- and 64-bit versions of Internet Explorer and Firefox, and 32-bit versions of Chrome.

Main features include:

• Stealing user names, passwords, and personal data from web forms
• Stealing installed certificates
• Downloading and launching other software
• Running a SOCKS proxy server
• Intercepting keystrokes
• Capturing screenshots
• Performing web injects (when malicious content is inserted into the web pages opened by a user in a web browser)

Geographical distribution of attacks by the Trojan-Spy.Win32.Ursnif family

Geographical distribution of attacks during the period from 28 June 2015 to 28 June 2016

Top 10 countries with most attacked users (% of total attacks)

* Percentage among all unique Kaspersky users worldwide attacked by this malware