The banking Trojan Ursnif was typically used for attacking financial institutions. But the malware is now used to attack different organizations including those in the healthcare industry. The researchers at the security firm Barkly detected the new version of Ursnif Trojan. The malware came along in a phishing email that was sent in response to a message sent to another firm.
The spear phishing email contained the thread of messages from past conversations. This is suggestive of the possibility that the email account was compromised. The email had an attached Word document and a cover message simply saying “Morning, Please see attached and confirm.” While the email message looked suspicious, the message thread included in the email made it look legitimate.
The attached document had a malicious macro that ran Powershell commands. It attempted to download the malicious payload, but the macro did not run immediately. It will only run if the Word document is closed. This is called the anti-sandbox technique. In the event that the payload is downloaded to the user’s device, the compromised device and email account will further send out spear phishing emails to all the user’s contacts. Barkly noted that if the malware is installed in the system, it works to attack as a man-in-the-middle and steals information as it is entered into the browser.
The Ursnif Trojan’s job is to steal a lot of credentials such as bank accounts and credit card information. It can also take screenshots of the device and log keystrokes. There were malware campaigns similar to this one launched in the past to spread malware. But this is the first instance that Ursnif Trojan was used. Because the sent emails with message threads seem to be from a trusted sender, it’s likely that the open rate of emails and attachments will be greater.
Many anti-virus solutions are not able to detect the presence of this malware. The malware can simply delete itself so it’s difficult to detect and analyze. More details about the Ursnif can be found on this link.