August 12, 2019 By David Bisson 2 min read

Security researchers came across a new Ursnif malware campaign that used multiple anti-analysis techniques to avoid detection.

In summer 2019, FortiGuard Labs spotted an attack campaign leveraging malicious Microsoft Word documents to distribute the Ursnif Trojan. The documents all used the format info_[date].doc for their file names and leveraged a fake security warning to trick users into enabling macros. From there, the attack read from three controls on the UserForm to assemble PowerShell code and execute it. This step laid the groundwork for the campaign to download a malware payload file from a URL.

This particular sample of the banking Trojan was unique in that it dynamically parsed its API functions. Such a technique enabled the operation to foil static analysis of its inner workings. To further evade detection, those behind the campaign designed the malware variant so that most data in the main module was encrypted — and decrypted only at runtime.

A Look Back at Ursnif

Ursnif was very busy during the first half of 2019. In January, for instance, Cisco Talos observed an attack campaign that employed CAB files to compress its stolen information prior to exfiltrating it to its command-and-control (C&C) server. Just a couple of months later, Cybereason discovered an operation pushing a new variant of the Trojan that arrived with a module capable of stealing data from mail clients and web browsers. This was just a few weeks before Yoroi detected a campaign that used multiple stages and system tools to target organizations across Italy.

How to Defend Against Malicious Microsoft Docs

To help defend against malicious Microsoft documents pushing malware, security teams should use VBA editor and other tools to inspect the macro code contained within incoming Microsoft Office documents. Security professionals should also consider placing greater restrictions on the use of macros within the organization.

More from

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - Quick recapThis blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this additional content. As a reminder, PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device,…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today