Trojan malware steals contacts for targeted spear phishing attacks

A new Ursnif variant uses stored emails to send what appear to be legitimate messages and, once the payload is deployed, turns its victims into a delivery vehicle.
By Jessica Davis
10:46 AM
Share
Trojan malware attack

A surge of phishing emails was spotted in the wild, distributing one of the most widespread banking Trojans to a variety of industries -- including the healthcare sector.

Ursnif uses a company’s stored emails to send what appear to be legitimate emails, according to security firm Barkly. The hackers use compromised email accounts to reply to active email threads, which contain a Word doc attachment with a malicious macro that downloads the malware.

[Also: Alaska DHSS facing potential breach after two Trojan malware attacks]

The variant uses evasive anti-sandbox techniques and waits to launch the macro until the Word document is closed. And once the payload is executed, the victim’s computer becomes a delivery vehicle to spread within an organization, by sending the malicious email from their account to their contacts.

While Ursnif primarily targeted the financial industry in the past, it’s branched out to target other industries, according to a Barkly spokesperson. The company has blocked the virus for some of its healthcare customers.

[Also: New rotating Locky ransomware campaign can infect networks twice]

In some cases, the virus disguises malicious emails as replies to existing emails. The report found that one user received what appeared to be a response to emails they were exchanging with another organization. The malicious email address merely looked like a different contact from the same company, replying to previously sent messages.

The malware is a multipurpose Trojan that steals a wide range of private information from its victims, including banking and credit card credentials. The hackers use Ursnif to launch man-in-the-browser attacks, keylogging and screenshots to gain passwords and other private information.

Barkly researchers said that at the time of its report, the new Ursnif variant has a low detection rate by security products. In recent years, Ursnif has evolved to even bypass behavioral biometrics defenses. Further, the variant deletes copies of itself once executed, making it even more difficult to detect and analyze.

For healthcare SOC teams, it’s important to put an emphasis on blocking these types of attacks, before the payload takes hold.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com