Security researchers came across a new Ursnif malware campaign that used multiple anti-analysis techniques to avoid detection.

In summer 2019, FortiGuard Labs spotted an attack campaign leveraging malicious Microsoft Word documents to distribute the Ursnif Trojan. The documents all used the format info_[date].doc for their file names and leveraged a fake security warning to trick users into enabling macros. From there, the attack read from three controls on the UserForm to assemble PowerShell code and execute it. This step laid the groundwork for the campaign to download a malware payload file from a URL.

This particular sample of the banking Trojan was unique in that it dynamically parsed its API functions. Such a technique enabled the operation to foil static analysis of its inner workings. To further evade detection, those behind the campaign designed the malware variant so that most data in the main module was encrypted — and decrypted only at runtime.

A Look Back at Ursnif

Ursnif was very busy during the first half of 2019. In January, for instance, Cisco Talos observed an attack campaign that employed CAB files to compress its stolen information prior to exfiltrating it to its command-and-control (C&C) server. Just a couple of months later, Cybereason discovered an operation pushing a new variant of the Trojan that arrived with a module capable of stealing data from mail clients and web browsers. This was just a few weeks before Yoroi detected a campaign that used multiple stages and system tools to target organizations across Italy.

How to Defend Against Malicious Microsoft Docs

To help defend against malicious Microsoft documents pushing malware, security teams should use VBA editor and other tools to inspect the macro code contained within incoming Microsoft Office documents. Security professionals should also consider placing greater restrictions on the use of macros within the organization.