URSNIF malware now delivered by hackers replying to existing email conversations

• The new spam campaign uses sophisticated methods to compromise targets by replying to legitimate email conversations.
• These malicious emails deliver attachments containing first stage droppers which later downloads the URSNIF trojan.

A new phishing campaign has been discovered that uses hijacked email accounts to send malware inserted within email responses, that are a part of ongoing conversations. Victims can rarely spot this sophisticated technique as these malicious emails containing the URSNIF trojan are sent as a part of an existing conversation to the targeted email account. So far, these attacks have been primarily targeting North America, Europe, Asia, and Latin America.

The spam campaign was discovered in September 2018. The spam emails dropped the URSNIF malware payload, that is designed to steal a wide range of data from compromised machines.

“Organizations in the education, financial, and energy sector make up most of the targets of the scam. However, the attack also affects other industries, including real estate, transportation, manufacturing, and government,” security researchers at Trend Micro, who discovered the campaign, said in a report.

The cybercriminals behind the campaign pose as the sender of an email that is already a part of an existing conversation thread. This is designed to trick users into clicking on the mails and even responding.

However, closely re-examining the malicious email could reveal the text changes made from French to the English language. The signature used in the emails sent by the attacks is also different. These details are difficult to spot at the first glance, by a user who checks a large number of email per day, Trend Micro researchers said.

According to security researchers, these attacks were similar to an earlier URSNIF/GOZI spam campaign discovered by Talos that used hijacked computers which were a part of the Dark Cloud botnet to send emails to existing conversations. Researchers suspect that the recent attacks could possibly be a continuation or evolution of the previous attacks.

URSNIF trojan capabilities

The malicious email contains a .doc attachment which when downloaded and opened executes a PowerShell dropper script that downloads the URSNIF payload. The dropper script also checks if the operating system is running Microsoft Vista or a newer version and if the system language is set to Chinese or Russian. If any of these conditions are discovered, the dropper exits the system without executing.

However, once the targeted computer is infected, URSNIF malware starts collecting information such as applications, driver information, processor data, network device and IP addresses. Moreover, other sensitive information such as email credentials, browser cookies, certificates, financial information, and video screen captures are also stolen and transferred to the attacker.

The threat actors behind the attack do not appear to be picking selective targets. Instead, they are directing spam emails at victims from various sectors ranging from education, finance, real estate, manufacturing, transportation, and even government organizations. Security researchers recommend that users to pay closer attention when opening email attachments, even if the email is from some known sender. Users are also advised to watch out for any red flags in email content, like language and signature changes.

“As phishing attacks become more sophisticated, it might be difficult for in-house IT and security teams to monitor both the network and individual endpoints for signs of attack. While employee awareness can definitely help, sometimes identifying whether an email is legitimate or malicious can be difficult, especially when presented with highly convincing attempts such as this one,” Trend Micro researchers said.