Ursnif Trojan Steals Contacts and Sends Spear Phishing Emails

The banking Trojan Ursnif, one of the most commonly used banking Trojans, has previously been used to attack financial institutions. However, it would appear the actors behind the malware have broadened their horizons, with attacks now being conducted on a wide range of organizations across many different industries, including healthcare.

The new version of the Ursnif Trojan was detected by researchers at security firm Barkly. The malware arrived in a phishing email that appeared to have been sent in response to a message sent to another organization.

The spear phishing email included the message thread from past conversations, suggesting the email account of the contact had been compromised. The email contained a Word document as an attachment with the message “Morning, Please see attached and confirm.”  While such a message would arouse suspicion if that was the only content in the email body, the inclusion of the message thread added legitimacy to the email.

The document contained a malicious macro that ran Powershell commands which tried to download the malicious payload; however, in contrast to many malware campaigns, rather than running the macro immediately, it is not run until the Word document is closed – an anti-sandbox technique.

If the payload is downloaded, in addition to the user’s device being compromised, their email account will be used to send out further spear phishing emails to all of that user’s contacts.

Barkly notes that If installed, the malware can perform man-in-the-middle attacks and can steal information as it is entered into the browser. The purpose of the Ursnif Trojan is to steal a wide range of credentials, including bank account information and credit card details. Ursnif Trojan is also able to take screenshots from the user’s device and log keystrokes.

Barkly reports that this is not the first time the firm has identified malware campaigns that use this tactic to spread malware, but this is the first time that the Ursnif Trojan has been used in this way, showing the threat is evolving.

Since the emails appear to come from a trusted sender, and include message threads, the likelihood of the emails and attachments being opened is far greater.

Barky reports that currently the malware is not being picked up by many anti-virus solutions, and its ability to delete itself after executing makes the threat hard to detect and analyze.

Further details on the threat, including the domains used by the malware and SHA256 hashes for the Word document, Macro, and Ursnif payload can be found on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.