# Phishing Campaigns featuring Ursnif Trojan on the Rise

**mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/**

[McAfee Labs](https://www.mcafee.com/blogs/author/mcafee-labs/)
Jun 07, 2022

6 MIN READ

Authored by Jyothi Naveen and Kiran Raj


June 8, 2022


McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents
reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to
promptly open them. The purpose of these spam operations is to deliver malicious payloads to as many people as possible.

A recent spam campaign was using malicious word documents to download and execute the Ursnif trojan. Ursnif is a high-risk trojan designed
to record various sensitive information. It typically archives this sensitive data and sends it back to a command-and-control server.

This blog describes how attackers use document properties and a few other techniques to download and execute the Ursnif trojan.

## Threat Summary

The initial attack vector is a phishing email with a Microsoft Word document attachment.
Upon opening the document, VBA executes a malicious shellcode
Shellcode downloads the remote payload, Ursnif, and invokes rundll32.exe to execute it.

## Infection Chain

The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and
macros are enabled, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe


-----

Figure 1- flowchart of infection chain

## Word Analysis

Macros are disabled by default and the malware authors are aware of this and hence present an image to entice the victims into enabling
them.

Figure 2- Image of what the user sees upon opening the document

## VBA Macro Analysis of Word Document

Analyzing the sample statically with ‘oleId’ and ‘olevba’ indicates the suspicious vectors..


-----

Figure 3- Oleid output

Figure 4- Olevba output

The VBA Macro is compatible with x32 and x64 architectures and is highly obfuscated as seen in Figure-5

Figure 5- Obfuscated VBA macro
To get a better understanding of the functionality, we have de-obfuscated the contents in the 2 figures shown below.


-----

Figure 6- De-obfuscated VBA macro (stage 1)

Figure 7- De-obfuscated VBA macro (stage 2)
An interesting characteristic of this sample is that some of the strings like CLSID, URL for downloading Ursnif, and environment variables
names are stored in custom document properties in reverse. As shown in Figure-7, VBA function
“ActiveDocument.CustomDocumentProperties()” is used to retrieve the properties and uses “StrReverse” to reverse the contents.

We can see the document properties in Figure-8


-----

Figure 8- Document properties

## Payload Download and Execution:

The malicious macro retrieves hidden shellcode from a custom property named “Company” using the “cdec” function that converts the
shellcode from string to decimal/hex value and executes it. The shellcode is shown below.

Figure 9- Raw Company property

The shellcode is written to memory and the access protection is changed to PAGE_EXECUTE_READWRITE.

Figure 10- Code of

VirtualProtect Figure 11- Shellcode’s memory

and protection after calling VirtualProtect()
After adding the shellcode in memory, the environment variable containing the malicious URL of Ursnif payload is created. This Environment
variable will be later used by the shellcode.


-----

Figure 12- Environment

variable set in Winword.exe space
The shellcode is executed with the use of the SetTimer API. SetTimer creates a timer with the specified time-out value mentioned and notifies
a function when the time is elapsed. The 4th parameter used to call SetTimer is the pointer to the shellcode in memory which will be invoked
when the mentioned time is elapsed.

Figure 13- SetTimer

function (Execution of shellCode)
The shellcode downloads the file from the URL stored in the environmental variable and stores it as ” y9C4A.tmp.dll ” and executes it with
rundll32.exe.

URL hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/

CMD rundll32 “C:\Users\user\AppData\Local\Temp\y9C4A.tmp.dll”,DllRegisterServer

Figure 14- Exports of Downloaded DLL


-----

After successful execution of the shellcode, the environment variable is removed.

Environment Variable

## IOC


Figure 15- Removal of


**TYPE** **VALUE** **PRODUCT** **DETECTION NAME**


Main Word
Document

Downloaded
dll

URL to
download
dll


6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f McAfee
LiveSafe
and Total
Protection

41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547 McAfee
LiveSafe
and Total
Protection


X97M/Downloader.CJG

Ursnif-FULJ


hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/ WebAdvisor Blocked


## MITRE Attack Framework

**Technique ID** **Tactic** **Technique Details** **Description**

**T1566.001** Initial Access Spear phishing Attachment Manual execution by user

**T1059.005** Execution Visual Basic Malicious VBA macros

**T1218.011** Defense Evasion Signed binary abuse Rundll32.exe is used

**T1027** Defense Evasion Obfuscation techniques VBA and powershell base64 executions

**T1086** Execution Powershell execution PowerShell command abuse

## Conclusion

Macros are disabled by default in Microsoft Office applications, we suggest keeping it that way unless the document is received from a trusted
source. The infection chain discussed in the blog is not limited to Word or Excel. Further threats may use other live-off-the-land tools to
download its payloads.

McAfee customers are protected against the malicious files and sites detailed in this blog with McAfee LiveSafe/Total Protection and McAfee
Web Advisor.

[McAfee Labs Threat Research Team](https://www.mcafee.com/blogs/author/mcafee-labs/)
McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts
below for more information.

### More from McAfee Labs

[Instagram credentials Stealers: Free Followers or Free Likes](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealers-free-followers-or-free-likes/%20)


-----

Authored by Dexter Shin Instagram has become a platform with over a billion monthly active users. Many...

Jun 10, 2022 |  6 MIN READ

[Instagram credentials Stealer: Disguised as Mod App](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealer-disguised-as-mod-app/%20)

Authored by Dexter Shin McAfee’s Mobile Research Team introduced a new Android malware targeting Instagram users who...

Jun 10, 2022 |  4 MIN READ

[Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-scammers-exploit-elon-musk-speaks-on-cryptocurrency/%20)

By Oliver Devane Update: In the past 24 hours (from time of publication) McAfee has identified 15...

May 25, 2022 |  4 MIN READ

[Scammers are Exploiting Ukraine Donations](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/%20)

Authored by Vallabh Chole and Oliver Devane Scammers are very quick at reacting to current events, so...

Apr 01, 2022 |  7 MIN READ

[Imposter Netflix Chrome Extension Dupes 100k Users](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/imposter-netflix-chrome-extension-dupes-100k-users/%20)

Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi McAfee has recently observed several malicious Chrome Extensions...

Mar 10, 2022 |  8 MIN READ


-----

Authored by Oliver Devane and Vallabh Chole  Notifications on Chrome and Edge, both desktop browsers, are commonplace,...

Feb 25, 2022 |  5 MIN READ

[Emotet’s Uncommon Approach of Masking IP Addresses](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/emotets-uncommon-approach-of-masking-ip-addresses/%20)

In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was...

Feb 04, 2022 |  4 MIN READ

[HANCITOR DOC drops via CLIPBOARD](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via-clipboard/%20)

Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer,...

Dec 13, 2021 |  6 MIN READ

[‘Tis the Season for Scams](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tis-the-season-for-scams/%20)

‘Tis the Season for Scams

Nov 29, 2021 |  18 MIN READ

[The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/%20)

Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors...

Nov 10, 2021 |  4 MIN READ


-----

[Social Network Account Stealers Hidden in Android Gaming Hacking Tool](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/social-networks-account-stealer-hidden-in-android-gaming-hacking-tool/%20)

Authored by: Wenfeng Yu McAfee Mobile Research team recently discovered a new piece of malware that specifically...

Oct 19, 2021 |  6 MIN READ

[Malicious PowerPoint Documents on the Rise](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-powerpoint-documents-on-the-rise/%20)

Authored by Anuradha M McAfee Labs have observed a new phishing campaign that utilizes macro capabilities available...

Sep 21, 2021 |  6 MIN READ


-----