menu

Contact Us

1 (800) 723-1166 |

ursnif

Homeursnif
Homeursnif

Ursnif variant found using mouse movement for decryption and evasion

In January 2016 Forcepoint Security Labs reported an email campaign delivering the Ursnif banking Trojan which used the ‘Range’ feature within its initial HTTP requests to avoid detection.

In July 2017 we discovered a malicious email sample delivering a new variant of Ursnif, attached within an encrypted Word document with the plaintext password within the email body. As recorded in several other Ursnif campaigns reported since April 2017, this Word document contains several obfuscated VBS files which load malicious DLLs through WMI.

However, these samples appear to exhibit new features including anti-sandboxing features that use a combination of mouse position and file timestamps to decode their internal data and the ability to steal data from the Thunderbird application.

LabTALK Episode 13: Kangaroos, Bicycles & Counting Down

Guest speaker Nicholas Griffin (Sr. Security Researcher) and Carl Leonard (Principal Security Analyst) discuss the malicious email campaign that drops Ursnif, the HTTPS Bicycle attack and look forward to the announcement of our new company name and identity.