August 12, 2019 By David Bisson 2 min read

Security researchers came across a new Ursnif malware campaign that used multiple anti-analysis techniques to avoid detection.

In summer 2019, FortiGuard Labs spotted an attack campaign leveraging malicious Microsoft Word documents to distribute the Ursnif Trojan. The documents all used the format info_[date].doc for their file names and leveraged a fake security warning to trick users into enabling macros. From there, the attack read from three controls on the UserForm to assemble PowerShell code and execute it. This step laid the groundwork for the campaign to download a malware payload file from a URL.

This particular sample of the banking Trojan was unique in that it dynamically parsed its API functions. Such a technique enabled the operation to foil static analysis of its inner workings. To further evade detection, those behind the campaign designed the malware variant so that most data in the main module was encrypted — and decrypted only at runtime.

A Look Back at Ursnif

Ursnif was very busy during the first half of 2019. In January, for instance, Cisco Talos observed an attack campaign that employed CAB files to compress its stolen information prior to exfiltrating it to its command-and-control (C&C) server. Just a couple of months later, Cybereason discovered an operation pushing a new variant of the Trojan that arrived with a module capable of stealing data from mail clients and web browsers. This was just a few weeks before Yoroi detected a campaign that used multiple stages and system tools to target organizations across Italy.

How to Defend Against Malicious Microsoft Docs

To help defend against malicious Microsoft documents pushing malware, security teams should use VBA editor and other tools to inspect the macro code contained within incoming Microsoft Office documents. Security professionals should also consider placing greater restrictions on the use of macros within the organization.

More from

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today