SPAM Campaign Underway that uses Encrypted Word Docs to Install Ursnif

Discussion in 'News Archive' started by Solarquest, Apr 6, 2017.

  1. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    A large SPAM campaign is underway where victims receive an email that pretends to be a requested invoice and contains a password for a password protected encrypted Word document attachment. These password protected word documents contain embedded VBScript files that will download and install the Ursnif keylogger.

    When Word documents are password protected, they also become encrypted. Malware distributors are hoping that by sending these encrypted Word documents they will be harder to detect by security software. You can see an example of one of the malicious SPAM emails that was provided to me by Zenexer.


    Once started, Ursnif will record your keystrokes, programs you open, files you create, and data you copy into the Windows clipboard and save them into logfiles in the %Temp% folder. These log files will have random file names that end with the .bin extension. For example, a log file could be called ja71.bin. These files are actually archives that can be extracted to see the data that will be sent to a TOR server under the malware developers control.
Similar Threads Forum Date
New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway Security News Dec 22, 2017
New spam campaign distributes two ransomware variants Security News Sep 20, 2017
Hacking Alert Locky Ransomware Returns with Spam Campaign Pushing Diablo6 Variant Security News Aug 9, 2017