Ursnif banking trojan returns with innovative phishing campaign

An infamous banking trojan returns with the highly localized social engineering attack

Ursnif malware aimed to steal sensitive information from small businesses in the social engineering campaign.

Known as the most active banking malware, Ursnif has been noticed in a highly localized attack aiming to steal sensitive data from just 200 targets. In this small-scale social engineering^[1] attack, macro-laced^[2] documents have been used as legitimate statements from businesses. By using them, cyber thieves behind this malware have been trying to trick people into clicking on a malicious link or opening an infected file. With the attempt of stealing valuable data, this attack aimed at specific cities in states like Tennessee, Missouri, Ohio, Nebraska, Texas, Florida, Virginia, and Michigan.

Documents used in this attack have been relying on different file names in each state but contained a similar message with a suggestion to enable the macro. Each record had a file name that mimics a legitimate name of the business, and, in this way, the message inside looked like a statement from the company. It is known that there were 21 unique file names used in this campaign.

The localized social engineering attack has been targeting businesses in specific cities or geographic areas. For example, the document with a name Dockery_FloorCovering_Statement was spread exclusively to targets in Tennessee. In the meanwhile, Dolan_Care_Statement.doc was sent to targets in Missouri.

Attack's functionality

The whole method is based on the idea that a document from a familiar or local service would not raise the attention for the recipient. Increasing the likelihood of convincing the victim that the material is safe and legitimate, hackers have been seeking to infect the targets with the Ursnif banking trojan.

Various phishing^[3] email campaigns have been widely used in different malware attacks all over the world. In this case, emails that people received looked legitimate and safe because this attack was using locally known names of companies and services for the email addresses and file attachments. The most common pattern for naming these documents was “the name of a local business or service_Statement.”

When people opened the document on their computer, the message asked them to enable the macro. If launched, the message displayed no content and people didn't have a chance to notice the ongoing process. After the malicious PowerShell process was launched, the script connected to any URL and delivered the malicious payload to the system.

The main danger is the virus brought to the system

This particular attack is based on a Trojan horse called Ursnif that is developed to steal sensitive information. When on the computer, it is set to collect data about the infected device and its owner. Just like other into-stealing viruses Emotet^[4] and Trickbot, Trojan can take over all sensitive data like passwords, logins, financial data, and similar information.

Over a year ago, Ursnif was used in another incident with phishing emails^[5]. This time, malware relied on a unique campaign which misused compromised email accounts to reply to active ones. The payload was also propagated via safe-looking documents like MS Word files. In this attack, the main purpose of this malware was to steal banking information, credit card credentials via man-in-the-browser attacks.