New post-tax spam campaign found delivering banking trojan Ursnif to North American victims

While spam campaigns are widespread during tax season, security researchers have discovered hackers are delivering the notorious banking trojan URSNIF to North American targets through a post-tax scam campaign. Although most of the spam email recipients were located in the United States and Canada, researchers found the malicious files were configured to be downloaded only by North American IP addresses.

This spam campaign did not use any attached malware or phishing links embedded in the malicious emails. Rather, they came with malicious URLs that download a .ZIP file with a downloader written in VBScript. The zip file contains two tax-related image files - one of which is a confidential tax information authorization form image (as seen below).

Image credit: TrendMicro

These spam emails contained a tax-themed subject header such as “Tax dues payment”, “Dues outstanding payment(s) disbursement” and “Levy dues disbursement.”

“The content of the message itself included notifications of a rise in taxes and reminders that the person must file for reimbursement before May 24, 2018,” researchers said. “The spam email also contains a URL that lures users to click the link to get more details. Some of the headers reference outstanding dues or payments, which might coincide with the timing of the post-tax season campaign.”

Meanwhile, the VB script packed inside is obfuscated by string manipulation methods including Split, Replace, XOR encryption and base64.

VBScript first checks the victim's computer for any antivirus products by examining default program data folders. If no AV is found, it uses cmd.exe to perform multiple malicious activities. If it does detect any AV-related directories on the host computer, it uses the Windows PowerShell command to download a file from the server, leverages the Microsoft Windows download tool bitsadmin to have the file hosted at a separate URL before it is downloaded. A mailslot is then used to decrypt the payload.

“The use of a mailslot is a misdirection method aimed at confusing security products and researchers,” they noted.

The VBScript uses windows powershell command to download the malicious .exe file from the server source [hxxp://visioninsurancestore[.]com/jhfj6ydhhd910/bcnx63dggsnd/mopw[.]png].

The packed URSNIF then injects its malicious payload into the victim’s browser to extract data when the victim connects to a targeted banking website. Researchers said the attackers seemed to be targeting banks primarily located in Canada.

“We can see that the malicious spam attacks are aimed at a very specific target: North American citizens, particularly Canadians, in the midst of filing their taxes,” researchers said. “In addition, everything from the creation of the images to the injection payload and even the security software evasion indicates that this campaign was not done haphazardly, but crafted by an attacker who knows his targets well and knows the right buttons to push to make them fall for classic social engineering techniques.”