Security researchers have discovered a new Ursnif malware delivery campaign that leverages Excel 4.0 macro functionality
In an analysis of one delivery campaign involving Ursnif malware (also known as Gozi) that dated back to January 2020, IT services provider Morphisec discovered that many of the malicious files used .xlsm as their extension. They also seemed to have “3” as their detection score, a rating too low to have static heuristic-based approaches flag the files as suspicious.
This caused many detection-based anti-malware products to miss the files. Once opened, these files leveraged text to ask that users enable editing and content capabilities. This technique helped the files evade OCR heuristic detection methods more easily than if the files used images to initiate the same request.
Enabling the content activated a defining capability of the widely used Excel 4.0: the use of macro worksheets to deploy XLM macros. In this particular case, the heavily obfuscated sheet was able to hide, and leverage “RUN” commands before ending with some “CALL” and “EXEC” instructions. Those instructions initiated a process that allowed the Excel 4.0 macros to download Ursnif via the Win32 API function.
Other Attacks Involving Ursnif
Security researchers have detected several Ursnif campaigns over the past year. For instance, in August 2019, threat researchers Fortinet spotted a campaign that used Microsoft Word documents to spread a different variant of the malware.
In early 2020, the SANS Internet Storm Center discovered a malspam campaign that targeted German users with password-protected ZIP archives delivering the payload. More recently, in April of 2020, corporate network security provider Zscaler, observed a campaign that embraced mshta, as opposed to PowerShell, for its second-stage payload before ultimately delivering the Gozi trojan.
How to Defend Against Malicious Macros
IT pros can help defend against malicious macros by implementing logging and reviewing logs for suspicious activity that could indicate a malware infection. Companies would also be wise to invest in continuous security training so that employees will be less likely to open email attachments that carry malicious macros.