Authored by Jyothi Naveen and Kiran Raj
McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. The purpose of these spam operations is to deliver malicious payloads to as many people as possible.
A recent spam campaign was using malicious word documents to download and execute the Ursnif trojan. Ursnif is a high-risk trojan designed to record various sensitive information. It typically archives this sensitive data and sends it back to a command-and-control server.
This blog describes how attackers use document properties and a few other techniques to download and execute the Ursnif trojan.
Threat Summary
The initial attack vector is a phishing email with a Microsoft Word document attachment.
Upon opening the document, VBA executes a malicious shellcode
Shellcode downloads the remote payload, Ursnif, and invokes rundll32.exe to execute it.
Infection Chain
The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe
Figure 1- flowchart of infection chain
Word Analysis
Macros are disabled by default and the malware authors are aware of this and hence present an image to entice the victims into enabling them.
Figure 2- Image of what the user sees upon opening the document
VBA Macro Analysis of Word Document
Analyzing the sample statically with ‘oleId’ and ‘olevba’ indicates the suspicious vectors..
Figure 3- Oleid outputFigure 4- Olevba output
The VBA Macro is ..
Support the originator by clicking the read the rest link below.
