Ursnif banking Trojan targets Australia with new evasive macros

On 19 September, the TA530 group sent personalised emails utilising company names, personal names, titles and more to deliver malicious Word documents.

 

Researchers at Proofpoint observed that the document lures employ a generic yet common way to convince the user to enable macros with the message, “This document is protected against unauthorised use. Enable Editing and Enable Content to read content.”

 

In this campaign, the Trojan dubbed Ursnif ID “30030” targets Australian banking sites with its injects.

The new campaign includes new evasive macros and demonstrates continued evolution in their tools and techniques, which shows how the attacker adapts to evolving defences and the widespread use of sandboxes.

 

Several additions to these sandbox-evasion checks were detected on 19 September. With the checks, the macro:

1.     Checks if the filename contains only hexadecimal characters before the extension. If it does, the macro doesn't proceed to infect the victim.

2.     Ensures there are at least 50 running processes with a graphical interface through Application.Tasks.Count Microsoft Word property.

3.     Performs a case-insensitive check against a blacklist of processes that could be on the host system, using Application.Tasks Microsoft Word property.

4.     Expands the list of strings it checks using MaxMind to make sure it is being run in the correct region (in this case, Australia) and network.

 

“Over the last few years, malware sandboxes have become a more common component of the defences that organisations and enterprises deploy to protect their users and their data. As the examples from this analysis demonstrate, threat actors are concentrating their research and innovation of malware sandbox evasion in an effort to remain ahead of their victims' defences,” Proofpoint's blog states.