Contacts Stolen and Spear Phishing Emails Sent by Ursnif Trojan

The financial sector banking Trojan Ursnif, one of the most commonly experienced banking Trojans, has before been used to attack banking institutions. However, it seems the individuals behind the malware have expanded their horizons, with cyberattacks now being carried out on a wide variety of groups across many different sectors, including healthcare.

The new strain of the Ursnif Trojan was found by researchers at security firm Barkly. The malware was sent in a phishing email that seemed to have been sent in response to a message sent to another group.

The spear phishing email included the message thread from previous conversations, suggesting the email information of the recipient had been accessed. The email contained a Word document as an attachment with the message “Morning, Please see attached and confirm.”  While such a message would cause worry if that was the only content in the email body, the inclusion of the message thread added further legitimacy to the email.

The document contained a malicious macro that ran Powershell commands which attempted to download the malicious payload; however, different to many malware campaigns, rather than running the macro straight away, it is not run until the Word document is closed – an anti-sandbox technique.

If the payload is clicked on, in addition to the user’s device being compromised, their email account will send out more spear phishing emails to all of that user’s contacts.

Barkly notes that, if installed, the malware can complete man-in-the-middle attacks and can steal information as it is entered into the Internet browser. The aim of the Ursnif Trojan is to obtain a wide range of credentials, including bank account information and credit card information. Ursnif Trojan is also able to capture screenshots from the user’s device and log keystrokes.

Barkly claims that this is not the first time the firm has found malware campaigns that use this tactic to spread malware, but this is the first occasion that the Ursnif Trojan has been used in this way, showing the threat is continually evolving.

Since the emails seem to come from a trusted sender, and include message threads, the chance of the emails and attachments being opened is higher than ever.

Barky reports that presently the malware is not being picked up by many anti-virus programs, and its ability to remove itself after executing makes the threat hard to detect and examine.

Further information on the threat, including the domains used by the malware and SHA256 hashes for the Word document, Macro, and Ursnif payload can be see on this link..

Author: Maria Perez