This article is more than 1 year old

Q. What connects the global financial crisis, Ursnif malware, and Coldplay's Viva la Vida?

A. Bad things from 2008 we can't seem to shake

A piece of banking malware that first debuted more than a decade ago is once again wreaking havoc.

Known as Ursnif, the malware has been spotted in the wild by Cisco's Talos security team, and is currently spreading in the wild via poisoned Word documents.

The Talos bug-hunters say the Ursnif infection has been active for months, infecting machines and then quietly logging activity and keystrokes in hope of catching users entering their banking credentials or other sensitive financial information.


Cyber-crooks think small biz is easy prey. Here's a simple checklist to avoid becoming an easy victim


"The alert piqued our curiosity, so we began to dig a bit deeper and provide some recent IoCs related to this threat, which traditionally attempts to steal users' banking login credentials and other login information," Talos said in its summary of the finding.

"Talos has covered Ursnif in the past, as it is one of the most popular malware that attackers have deployed recently."

This is the latest in a game of cat-and-mouse researchers have had with Ursnif criminals spanning back more than eleven years. When it was first reported at the tail end of 2007, Ursnif was classified as a variation of Gozi, a family of banking malware developed for use by Russian cybercrime groups. At that time, Ursnif was being spread via poisoned PDF files.

More than a decade later, Ursnif is back as a favored tool of financial cybercrime groups. The delivery method has remained largely the same too. The creators of this current build are embedding the attack code into a VBA macro command of a Word document and the recipient is instructed to enable macros to view the image if the function isn't already turned on. Once they do it's pwnage time!.

The macro is mostly full of junk mathematical functions intended to hide the real payload, but includes the following code which creates a PowerShell command using the AlternativeText property of the Shapes object "j6h1cf.".

Interaction@.Shell RTrim(LTrim(Shapes("j6h1cf").AlternativeText)), 84 * 2 + -168

Once executed the PowerShell command contacts a command and control server and downloads Ursnif into the AppData directory. But it doesn't run immediately - that would be too obvious - but uses a series of generated PowerShell commands to unpack the malware, create a malicious DLL, allocate memory for it to function and then fire up the full malware application itself.

The latest iterations of the malware also opts for HTTPS connections to its command and control servers, does much of the dirty work of collecting the data in TEMP files and transmits the harvested keystrokes and data as archived .cab format files.

These tactics all make Ursnif tough to spot for most security tools. As ever, disable macros as a standard and only enable them on a case-by-case basis once you are sure of the document's provenance. ®

More about


Send us news

Other stories you might like