A new variant of trojan malware popular with cyber criminals is spreading via malicious Word documents with the aim of stealing bank details and other useful personal information.
The Ursnif trojan targets Windows machines and has existed in one form or another since at least 2007 when its code first emerged in the Gozi banking trojan.
Ursnif has become incredibly popular with cyber criminals in recent years, due to the source code being leaked online, enabling attackers to take advantage of it for free.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Several different variants of the malware have emerged since the code was leaked, as attackers take it and add their own custom capabilities for stealing banking details and other online account credentials.
Now researchers at cybersecurity firm Fortinet have identified a new version of Ursnif in the wild that is spreading via phishing emails containing weaponised Word documents. These infected lures that are named with a “info_[date].doc” format and claim that the document has been created in a previous version of Word, requiring the user to enable macros to see it.
Enabling macros by clicking the ‘Enable Content’ command unleashes malicious VBA code that begins the process of dropping a version of Ursnif malware that researchers say was only recently compiled on July 25th, indicating how recently this latest incarnation has been developed.
Once installed on a system the malware runs a number of “iexplorer.exe” processes that repeatedly appear and disappear.
This is Ursnif creating the conditions needed to connect to its command and control server. In what appears to be an effort to make the activity less suspicious, the host list for the C&C server includes references to Microsoft and security companies.
Researchers warn that the campaign is still active and have provided a write-up of the Indicators of Compromise in their analysis of the malware.
The attack techniques deployed by this latest Ursnif campaign might appear basic, but even simple phishing email attacks can still provide hackers with means of entering networks or deploying malware.
MORE ON CYBERSECURITY