The Ursnif Trojan is Capturing Banking Credentials Again

Delaware, USA – January 25, 2019 – Cisco Talos dissected the newest version of Ursnif malware being distributed in the recent campaign and published discovered indicators of compromise in the report. Threat actors behind this version of popular trojan use a surefire way to deliver the payload by attaching an MS Word file containing a corruptive VBA macro and a picture luring a potential victim to enable macros. The macro unleashes the further execution of the PowerShell command to download and execute the Ursnif banking malware. After being executed, the malware modifies Windows Registry adding the PowerShell command for the Asynchronous Procedure Call Injection into a legitimate process.

This version of the trojan is designed to stealthy collect victim’s credentials and exfiltrate them via HTTPS requests to command and control server. Stolen data is stored in a TEMP directory and packed into 1KB CAB archives with .bin extension using native Windows tool. The craftiness of Ursnif provides it with the ability to penetrate the victims’ machines and to steal the compressed data avoiding the traditional AV solutions. Following the recently updated information about the activity of the banking trojan, our team has updated SIEM rules to detect the latest version of the malware: https://tdm.socprime.com/tdm/info/1067/