June 3, 2020 By David Bisson 2 min read

Security researchers discovered a new Ursnif malware delivery campaign leveraging Excel 4.0 macro functionality.

In an analysis of one Ursnif delivery campaign dating back to January, Morphisec discovered that many of the malicious files leveraged .xlsm as their extension. They also had “3” as their detection score, a rating that is too low to have static heuristic-based approaches label the files as suspicious. That caused many detection-based solutions to miss the files.

Once opened, the files leveraged text to ask that users enable editing and content. This technique helped the files to evade OCR heuristic detection methods more effectively than if the files had used an image to issue the same request.

Enabling the content activated a defining ability of Excel 4.0: the use of macro worksheets to deploy XLM macros. In this case, the heavily obfuscated sheet was hidden and leveraged several “RUN” commands before ending with some “CALL” and “EXEC” instructions. Those instructions ordered the Excel 4.0 macros to download Ursnif/Gozi via the Win32 API function.

Other Attacks Involving Ursnif

Security researchers have detected several other Ursnif campaigns over the past year. Back in August 2019, for instance, Fortinet spotted a new campaign that used Microsoft Word documents to spread a new variant of the malware.

In January 2020, the SANS Internet Storm Center picked up on a malspam campaign that preyed on German users with password-protected ZIP archives carrying the threat. Most recently in April 2020, Zscaler observed an attack campaign that embraced mshta instead of PowerShell for its second-stage payload before ultimately delivering Gozi.

Defend Against Malicious Macros

Security professionals can help defend against malicious macros by implementing logging and reviewing logs for suspicious activity that could be indicative of a malware infection. Companies should also invest in ongoing security awareness training so that employees will be less inclined to open email attachments carrying malicious macros.

More from

ISC2 Cybersecurity Workforce Study: Shortage of AI skilled workers

4 min read - AI has made an impact everywhere else across the tech world, so it should surprise no one that the 2024 ISC2 Cybersecurity Workforce Study saw artificial intelligence (AI) jump into the top five list of security skills.It’s not just the need for workers with security-related AI skills. The Workforce Study also takes a deep dive into how the 16,000 respondents think AI will impact cybersecurity and job roles overall, from changing skills approaches to creating generative AI (gen AI) strategies.Budgets…

Why do software vendors have such deep access into customer systems?

4 min read - To the naked eye, organizations are independent entities trying to make their individual mark on the world. But that was never the reality. Companies rely on other businesses to stay up and running. A grocery store needs its food suppliers; a tech company relies on the business making semiconductors and hardware. No one can go it alone.Today, the software supply chain interconnects companies across a wide range of industries. Software applications and operating systems depend on segments of the software…

How CTEM is providing better cybersecurity resilience for organizations

4 min read - Organizations today continuously face a number of fast-moving cyber threats that regularly challenge the effectiveness of their cybersecurity defenses. However, to keep pace, businesses need a proactive and adaptive approach to their security planning and execution.Cyber threat exposure management (CTEM) is an effective way to achieve this goal. It provides organizations with a reliable framework for identifying, assessing and mitigating new cyber risks as they materialize.The importance of developing cybersecurity resilienceRegardless of the industry, all organizations are subject to certain…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today