Ursnif Phishing Campaigns

Analysis of banking malware, Ursnif has been reviewed by Qualys. The information-stealing malware, with capabilities to steal credentials, keylogging, and download additional payloads, has been a prevalent threat since 2020. Ursnif is predominantly distributed through phishing emails targeting verticles in banking, financial services, and government agencies. In the latest stream of phishing campaigns, attackers are leveraging current events and impersonating government authorities to lure victims. Malicious attachments for the email either contain an Excel document or a zip attachment, the infection chain for both scenarios is slightly different, but the result is the same. In the Excel infection scenario, a binary is downloaded upon execution of the Excel macro. The binary spoofs the parent PID to explorer.exe for defense evasion. In the zip attachment scenario, an HTA file is attached and when triggered launched PowerShell to download a DLL file to be executed with rundll32.

‍

‍