Early waves of the attack were observed on August 16 and were seen to use FTP links as shown below:
Upon clicking the link, it will download a VBS or a JS file, which is the actual downloader of the URSNIF malware. Should the user click on the malicious link and download the file, the user's machine will be infected once it's executed.
The files were found to be obfuscated:
JS file that downloads URSNIF is detected by Trend Micro as JS_DLOADR.AUSUKC. VBS file that downloads URSNIF is detected by Trend Micro as VBS_DLOADR.YYSXQ.
The payload, the downloaded malware file, is detected by Trend Micro as TSPY_URSNIF.TIBAIDT.
Trend Micro users are protected from this particular email threat. We advise users to be wary of their emails and to not open attachments or links in unsolicited emails. Email best practices will help users avoid being infected with malware such as URSNIF.