Malware uses Tor to exfiltrate data to its C&C server

Oct 9, 2018 16:29 GMT  ·  By

A new phishing campaign uses an innovative technique to compromise targets by sending malicious e-mails to existing e-mail threads to deceive its victims. 

As reported by Trend Micro's Cyber Safety Solutions Team, the spam campaign they discovered during September 2018 uses more complex methods to infect its target and to avoid detection.

Moreover, the phishing campaign will use hijacked e-mail accounts to send a malware payload camouflaged as a part of an ongoing e-mail conversation thread.

This allows the bad actors to hide in plain sight and take advantage of their victims' momentary lapse of attention to drop a URSNIF malware payload designed to steal a wide range of data from the compromised machines.

Cisco Talos Intelligence Group reported earlier about another malvertising campaign which used the Gozi ISFB banking trojan as the malware payload in e-mails send from machines part of the Dark Cloud botnet and made to look as being a part of existing e-mail threads for some extra stealthiness.

The campaign discovered by Trend Micro seems to be focusing on North American and European targets, but the researchers also found instances when Asian and South American systems were attacked.

This new malvertising campaign delivers the URSNIF trojan capable of stealing credentials and banking information

Furthermore, the actors behind this new and inventive URSNIF phishing campaign don't seem to be very picky as they will direct their spam e-mails at victims from any industry from education, finance, and real estate to manufacturing, transportation and even governments.

The infection process is pretty straightforward, apart from the e-mails camouflaging as parts of previous conversations: the malicious e-mails contain a .doc attachment which runs a PowerShell dropper script to download the URSNIF payload.

Before downloading the malware to the compromised computer, the dropper script will also check to see if the operating system is a Microsoft Vista or newer one and if the system language is set to Chinese or Russian. If any of those conditions are true, the dropper will not execute.

Once the victim's computer is infected, the URSNIF malware will start collecting and exfiltrating data which ranges from system information (applications, drivers, processes, network devices, IP addresses) to more sensitive stuff like e-mail credentials, browser cookies, and certificates, and financial information, and to top it all off video screen captures.

As mitigation measures, Trend Micro recommends paying attention when opening any e-mail attachment even if it comes from someone you know, never agreeing to prompts asking to change the security settings on your computer, and watch out for any red flags in the e-mails' content like language and signatures changes.

Photo Gallery (3 Images)

URSNIF Trojan
Example of a malicious emailMalicious email vs legitimate email
Open gallery