August 12, 2019 By David Bisson 2 min read

Security researchers came across a new Ursnif malware campaign that used multiple anti-analysis techniques to avoid detection.

In summer 2019, FortiGuard Labs spotted an attack campaign leveraging malicious Microsoft Word documents to distribute the Ursnif Trojan. The documents all used the format info_[date].doc for their file names and leveraged a fake security warning to trick users into enabling macros. From there, the attack read from three controls on the UserForm to assemble PowerShell code and execute it. This step laid the groundwork for the campaign to download a malware payload file from a URL.

This particular sample of the banking Trojan was unique in that it dynamically parsed its API functions. Such a technique enabled the operation to foil static analysis of its inner workings. To further evade detection, those behind the campaign designed the malware variant so that most data in the main module was encrypted — and decrypted only at runtime.

A Look Back at Ursnif

Ursnif was very busy during the first half of 2019. In January, for instance, Cisco Talos observed an attack campaign that employed CAB files to compress its stolen information prior to exfiltrating it to its command-and-control (C&C) server. Just a couple of months later, Cybereason discovered an operation pushing a new variant of the Trojan that arrived with a module capable of stealing data from mail clients and web browsers. This was just a few weeks before Yoroi detected a campaign that used multiple stages and system tools to target organizations across Italy.

How to Defend Against Malicious Microsoft Docs

To help defend against malicious Microsoft documents pushing malware, security teams should use VBA editor and other tools to inspect the macro code contained within incoming Microsoft Office documents. Security professionals should also consider placing greater restrictions on the use of macros within the organization.

More from

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today