Security researchers discovered a new Ursnif malware delivery campaign leveraging Excel 4.0 macro functionality.

In an analysis of one Ursnif delivery campaign dating back to January, Morphisec discovered that many of the malicious files leveraged .xlsm as their extension. They also had “3” as their detection score, a rating that is too low to have static heuristic-based approaches label the files as suspicious. That caused many detection-based solutions to miss the files.

Once opened, the files leveraged text to ask that users enable editing and content. This technique helped the files to evade OCR heuristic detection methods more effectively than if the files had used an image to issue the same request.

Enabling the content activated a defining ability of Excel 4.0: the use of macro worksheets to deploy XLM macros. In this case, the heavily obfuscated sheet was hidden and leveraged several “RUN” commands before ending with some “CALL” and “EXEC” instructions. Those instructions ordered the Excel 4.0 macros to download Ursnif/Gozi via the Win32 API function.

Other Attacks Involving Ursnif

Security researchers have detected several other Ursnif campaigns over the past year. Back in August 2019, for instance, Fortinet spotted a new campaign that used Microsoft Word documents to spread a new variant of the malware.

In January 2020, the SANS Internet Storm Center picked up on a malspam campaign that preyed on German users with password-protected ZIP archives carrying the threat. Most recently in April 2020, Zscaler observed an attack campaign that embraced mshta instead of PowerShell for its second-stage payload before ultimately delivering Gozi.

Defend Against Malicious Macros

Security professionals can help defend against malicious macros by implementing logging and reviewing logs for suspicious activity that could be indicative of a malware infection. Companies should also invest in ongoing security awareness training so that employees will be less inclined to open email attachments carrying malicious macros.

More from

Cloud Workload Protection Platforms: An Essential Shield

2 min read - Businesses of all sizes increasingly rely on cloud computing to power their operations. This shift has brought with it a new set of security challenges. To protect their workloads in the cloud, many of these businesses are deploying a critical tool for cloud security: cloud workload protection platforms (CWPPs).What are Cloud Workload Protection Platforms?CWPPs are comprehensive security solutions designed specifically for cloud-based environments. They provide advanced protection and threat detection capabilities to safeguard cloud workloads and guarantee the confidentiality, integrity…

2 min read

Is Open-Source Security a Ticking Cyber Time Bomb?

4 min read - Software depends on layers of code, and much of that code comes from open-source libraries. According to an Octoverse 2022 report, open-source code is used in 97% of applications. Not only do developers embrace open source, but so do nine in 10 companies. “Open-source software is the foundation of 99% of the world’s software,” Martin Woodward, VP of developer relations at GitHub, told VentureBeat.As the foundation of just about every piece of software, every application or device runs on code that…

4 min read

Threat Sharing Evolution: How Groups Offer Less Risk and Better Intelligence to Members

16 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. In 2019, the World Economic Forum advocated for increased threat intelligence sharing by arguing that cybersecurity is a “public good.” Meaning, if organizations — both public and private — share threat information across groups, everyone has a clearer picture of the threat landscape and with it, the ability to better defend against increasingly aggressive and sophisticated threat actors. In response, multiple threat-sharing groups have sprung to life,…

16 min read

How to Manage Cyber Risk During Mergers and Acquisitions

4 min read - By attracting attention from threat actors, merger and acquisition (M&A) events are a significant source of cyber crime risk. So much so that, according to a 2020 IBM Institute of Business Value study, more than one in three executives said they experienced data breaches that can be attributed to M&A activity during integration.Security ratings, provided by security rating services (SRS), can deliver an overview of risk to stakeholders. But attack surface management (ASM) tools give security teams actionable insight on…

4 min read