Phishing: New Version of Trojan Malware

Phishing: beware of this new version of Trojan malware.

Trojan malware: beware of this new version of Trojan malware that spreads through malicious Word documents.

Beware of this new version of Trojan malware Phishing

A new version of the Trojan Ursnif is being sent via malicious Word documents with the aim of stealing bank information and other credentials.

A new variant of Trojan malware, popular with cyber criminals, is spreading via malicious Word documents with the aim of steal data bank details and other useful personal information.

O Malware The Ursnif Trojan targets Windows machines and has existed in one form or another since at least 2007, when its code first appeared in the Gozi banking Trojan.

Ransomware and Phishing Protection
Fortione Helping Protect Against Ransomware Escalation

Ursnif has become incredibly popular with cybercriminals in recent years due to the leaking of its source code online, allowing attackers to take advantage of it for free.

Variants of Trojan Malware

Different variants of Trojan malware have emerged since the code was leaked. Attackers use it and add their own custom features to steal bank details and other online account credentials.

Researchers from the cybersecurity company Fortinetidentified a new version of the Ursnif in the wild. It's spreading through emails from phishing containing Word documents with weapons.

These infected lures are named with the format "info_ [date] .doc" and claim that the document was created in an earlier version of Word, requiring the user to enable macros in order to view it.

Activating macros by clicking on the 'Enable Content' command releases the malicious VBA code. It starts the process of dropping a version of the Ursnif malware which, according to the researchers, was only recently compiled on July 25. This indicates how recently this latest incarnation was developed.

Processes executed by malware

Once installed on a system, the malware will execute various "iexplorer.exe" processes that appear and disappear repeatedly.

This is Ursnif, creating the necessary conditions to connect to your command and control server.

In an effort to make the activity less suspicious, the list of hosts on the C&C server includes references to Microsoft and security companies.

The researchers warn that the campaign is still active and have provided a review of the Indicators of Compromise in the malware analysis.

The attack techniques deployed in this latest Ursnif campaign may seem basic. Even simple phishing email attacks can still provide hackers with means of breaking into networks or deploying malware.

Enjoying the content? Share it!

EN