Phishing: beware of this new version of Trojan malware

Trojan malware: beware of this new version of the Trojan malware that spreads by malicious Word documents.

Beware of this new version of Trojan Phishing malware

A new version of the Trojan Ursnif is being sent through malicious Word documents with the aim of stealing banking information and other credentials.

A new variant of Trojan malware, popular with cyber criminals, is spreading through malicious Word documents, with the aim of stealing bank details and other useful personal information.

O Malware Trojan Ursnif targets Windows machines and has existed in one form or another since at least 2007, when its code first appeared in the banking Trojan Gozi.

Ursnif has become incredibly popular with cybercriminals in recent years due to the leak of the online source code, allowing attackers to take advantage of it for free.

Trojan Malware Variants

Different variants of Trojan malware have emerged since the code was leaked. Attackers use it and add their own personalized features to steal bank details and other online account credentials.

Researchers from the cybersecurity company Fortinet, identified a new version of the Ursnif in the wild. It is spreading through emails from phishing containing Word documents with weapons.

These infected baits are named in the format "info_ [date] .doc" and claim that the document was created in an earlier version of Word, requiring the user to enable macros to view it.

Activating macros by clicking on the 'Enable Content' command releases malicious VBA code. It begins the process of discarding a version of the Ursnif malware that, according to the researchers, was compiled only recently on July 25. This indicates how recently this last incarnation was developed.

Processes executed by Malware

Once installed on a system, the malware will run several “iexplorer.exe” processes that appear and disappear repeatedly.

This is Ursnif, creating the necessary conditions to connect to your command and control server.

Attention to the effort to make the activity less suspicious, the C&C server host list includes references to Microsoft and security companies.

The researchers warn that the campaign is still active and provided a review of the Indicators of Commitment in analyzing the malware.

The attack techniques deployed in this latest Ursnif campaign may seem basic. Even simple phishing email attacks can still provide hackers means of entering networks or deploying malware.

Scroll to Top