April 8, 2020 By David Bisson 2 min read

Security researchers observed that a new Ursnif attack campaign replaced PowerShell with mshta as a means to distribute the malware.

Zscaler observed that the Ursnif campaign began with the delivery of document files bearing the name “info_03_24.doc.” These documents leveraged malicious Visual Basic for Applications (VBA) macro code to call the main routine. This stage involved writing the second-stage payload to “index.html” and executing it.

In contrast to previous campaigns, the second stage of the campaign did not invoke a PowerShell command. Instead, it executed index.html using “mshta.exe,” a utility for executing Microsoft HTML Applications (HTAs). The step executed JavaScript and ActiveX code that created a new function with decoded ASCII data as its function body, among other operations.

The third and final stage leveraged that decoded ASCII data’s instructions to execute and download “index.dll” via regsvr32. In so doing, it installed Ursnif as the campaign’s final payload.

Ursnif’s Fork and Globetrotting Campaigns

Ursnif has been featured in several attack campaigns thus far in 2020. In January, for instance, researchers at FireEye detected malware that identified itself as “SaiGon version 3.50 rev 132.” A closer look revealed that this threat had based itself on the source code of Ursnif v3, suggesting a possible fork in the malware family’s development.

Just a few weeks later, SANS ISC unveiled its discovery of an attack campaign that relied on malspam to target German users with malware. Then, in March 2020, Cybaze-Yoroi Zlab intercepted a campaign in which attackers used a compromised Italian website to target Italian users with the Trojan.

How to Defend Against Malicious Macros

Security professionals can help defend their organizations against campaigns that use malicious macro code by relying on their security information and event management (SIEM) solution to detect malicious macro activity. Specifically, they should use the SIEM to detect the creation of new processes that could be spawned by malicious macros. Infosec personnel should also use tools like a VBA editor to extract and inspect macro code included in suspicious Office documents.

More from

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

White House cements CISA’s role as national coordinator for cybersecurity

2 min read - In 2013, the Obama Administration rolled out "The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience", a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created "to strengthen and maintain secure, functioning and resilient critical infrastructure."The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024, President…

How a new wave of deepfake-driven cybercrime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit.Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries.Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break into customer…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today