New Version of Ursnif Trojan in Ongoing Campaign

Delaware, USA – August 9, 2019 – Ursnif is one of the most widespread banking trojans. It appeared about 12 years ago and gained exceptional popularity after its source code was leaked in 2014, and since then various modifications of Ursnif have been used worldwide to steal passwords and banking information. A new ongoing campaign was discovered by FortiGuard Labs, which managed to intercept several emails with a malicious document installing Ursnif Trojan compiled in late July. All documents have name “info_ [date].doc” and when they are opened, the user sees a message that the document was created in a previous version of Word, and the user needs to enable macros to see it. A similar method was used through the campaign discovered earlier this year, but this time the document contains a very small VBA macro, which decodes PowerShell command that downloads Ursnif trojan from one of the attackers’ servers and installs it. The new version of the malware uses a number of anti-analysis techniques hiding some API functions and keeping most data in the main module encrypted. Also of interest is a way trojan communicates with command-and-control infrastructure. Ursnif runs multiple Component Object Model instances of iexplorer.exe process which repeatedly appear and disappear. With their help, malware transfers the collected data, and in order to cause less suspicion, it connects not only to the C&C server but also to the official Microsoft and antivirus vendors servers.

Despite its simplicity, the campaign is effective and still ongoing, therefore it is recommended to take additional measures to secure your organization against the malware. It is possible to detect infection at an early stage using a properly configured sysmon and your existing security solutions. Since many droppers now use PowerShell commands to download and install malware, the following rules will be useful for timely detection of malicious activity.

Suspicious PowerShell Download – https://tdm.socprime.com/tdm/info/1041/

Suspicious PowerShell Invocations – Generic – https://tdm.socprime.com/tdm/info/1037/

Evasion Base64 decode arguments in Powershell. (Possible APT29 activity) – https://tdm.socprime.com/tdm/info/1376/

Malicious PowerShell Commandlets – https://tdm.socprime.com/tdm/info/1110/

PowerShell Download from URL – https://tdm.socprime.com/tdm/info/1189/