A New Variant of Ursnif Banking Trojan Distributed Through Malicious Microsoft Word Documents
A new improved version of the infamous Ursnif banking Trojan leverages Necurs botnet infrastructure targets Italian companies. The malware primarily targets the financial sector and it was detected first in year 2009.
CSE Cybsec ZLab researchers spotted the new campaign to be active from 6th June, it hit’s Italian companies with a malicious Microsoft Word documents and social engineering methods to trick users into enabling macros.
Once Ursnif infected into the machine it tries to spread the infection to all other Email address in the contact book and to trick the victims it makes the message to have appeared as a reply in the previous conversation.
Email Message and Infection – Ursnif Banking Trojan
The Email was written in incorrect Italian language and the documents appeared to be created from an older version of Microsoft Office that asks user’s to enable the macros.
The infection starts once the user enabled the macro’s, which launches a malicious script that downloads and executes the payload from the C&C server.
“The Ursnif banking Trojan can operate without being noticed by both the user and the Operating System because it is capable to inject its malicious code into the “explorer.exe” process, which is one the most important processes in the Microsoft’s OS.”
With the new variant of Ursnif different domains and different macros spotted, at the time of analysis researchers spotted most of the domain’s went offline.
All the domain’s appeared to be registered under the same Email [whois-protect[@]hotmail[.]com], “Investigating on the email address, we discovered that it was used to register about 1000 different domains.” researchers said.
Necurs botnet is one of the largest Malspam threat that distributes by cybercriminals to deliver various dangerous malware and ransomware based highly potential threats.
It also responsible for various ransomware attack operation like JAFF Ransomware, Scarab Ransomware, banking trojan Trickbot, and it played the biggest role of Locky Ransomware distribution with 23 million emails in just 24 hours.
This is the first time Ursnif campaign uses the Necurs botnet infrastructure, CSE CyberSec Enterprise published a full analysis report along with IOCs associated with the incident.