Ursnif - Spreading via malicious Office files
SonicWall Capture Labs Threat Research Team identified a new wave of malicious Office files in use to distribute Banking Trojan belonging to the Ursnif family. It has been observed that MS-Word files containing VBA Macro code are used to download a text file which contains a series of lines that are decrypted into Portable Executable(PE) file.
Malicious Office file will appear as shown below:
Upon opening the malicious document file, a message is displayed to the user informing that this document is protected and to click on Enable Editing followed by Enable content.
Once the content is enabled, the malicious macro is executed to show a user form titled "loading" and Internet Explorer is launched in the background to download the file pointed by a URL stored in the tag part of userform. Once the download is completed, the PE file belonging to Ursnif family is decrypted from the downloaded data.
Hardcoded URL stored in a tag part of UserForm and decryption routine are shown below:
The downloaded text file is shown below:
Unlike other variants of Ursnif which we have observed in the past to be targeting victims from Italy, this variant does not have any country-specific restriction.
SonicWall Capture Labs provides protection against this threat via the following signatures:
GAV: MalAgent.U1 (Trojan)
GAV: MalAgent.U2 (Trojan)
GAV: MalAgent.U3 (Trojan)
GAV: MalAgent.U4 (Trojan)
Indicators of Compromise:
SHA 256 of Malicious Office documents
Payload SHA 256:
Payload Network connection: