SPAM Campaign Underway that uses Encrypted Word Docs to Install Ursnif

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Solarquest

Moderator
Staff member
AV-Tester
Jul 22, 2014
1,925
15,552
#1
A large SPAM campaign is underway where victims receive an email that pretends to be a requested invoice and contains a password for a password protected encrypted Word document attachment. These password protected word documents contain embedded VBScript files that will download and install the Ursnif keylogger.

When Word documents are password protected, they also become encrypted. Malware distributors are hoping that by sending these encrypted Word documents they will be harder to detect by security software. You can see an example of one of the malicious SPAM emails that was provided to me by Zenexer.



....


Once started, Ursnif will record your keystrokes, programs you open, files you create, and data you copy into the Windows clipboard and save them into logfiles in the %Temp% folder. These log files will have random file names that end with the .bin extension. For example, a log file could be called ja71.bin. These files are actually archives that can be extracted to see the data that will be sent to a TOR server under the malware developers control.