Ursnif Trojan Attacks and Sends Spear Phishing Emails

The banking Trojan Ursnif was typically used for attacking financial institutions. But the malware is now used to attack different organizations including those in the healthcare industry. The researchers at the security firm Barkly detected the new version of Ursnif Trojan. The malware came along in a phishing email that was sent in response to a message sent to another firm.

The spear phishing email contained the thread of messages from past conversations. This is suggestive of the possibility that the email account was compromised. The email had an attached Word document and a cover message simply saying “Morning, Please see attached and confirm.” While the email message looked suspicious, the message thread included in the email made it look legitimate.

The attached document had a malicious macro that ran Powershell commands. It attempted to download the malicious payload, but the macro did not run immediately. It will only run if the Word document is closed. This is called the anti-sandbox technique. In the event that the payload is downloaded to the user’s device, the compromised device and email account will further send out spear phishing emails to all the user’s contacts. Barkly noted that if the malware is installed in the system, it works to attack as a man-in-the-middle and steals information as it is entered into the browser.

The Ursnif Trojan’s job is to steal a lot of credentials such as bank accounts and credit card information. It can also take screenshots of the device and log keystrokes. There were malware campaigns similar to this one launched in the past to spread malware. But this is the first instance that Ursnif Trojan was used. Because the sent emails with message threads seem to be from a trusted sender, it’s likely that the open rate of emails and attachments will be greater.

Many anti-virus solutions are not able to detect the presence of this malware. The malware can simply delete itself so it’s difficult to detect and analyze. 

.

About James Keogh 144 Articles
James Keogh has been writing about the healthcare sector in the United States for several years. With several years of covering healthcare topics, he has developed expertise in HIPAA-related issues, including compliance, patient privacy, and data breaches. His work is known for its thorough research and accuracy, making complex legal and medical information accessible . James's articles are valuable resources for healthcare professionals and have been featured in reputable publications. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681.