Researchers at Trend Micro have recently spotted a new campaign leveraging the Ursnif banking Trojan featuring new malicious macro tactics for payload delivery.

Malicious macros are widely adopted by crooks for malware distribution, usually, they are embedded in documents and attackers trick victims into enabling them. Then the malicious code (i.e. PowerShell) is executed to drop and run the final malware.

Unfortunately, cybercriminals continue to improve the effectiveness of macros tactics in the attempt to evade detection.

Recently, in spam email distributing URSNIF, the researchers observed the malware was using simple checks to evade sandbox detections.

One the tactic used by threat actors is the use of AutoClose, which can run the PowerShell script after the document was closed, evading sandbox detections focused on the analysis of the macro itself.

“This method is becoming a common feature in many malicious macros because it is easy to implement.” reads the analysis from Trend Micro.

“After coercing the victim to enable macros, the macro waits for the would-be victim to close the document and only then will PowerShell execute. Sandbox detections might miss the malicious behavior since the malicious routines will only run after the document is closed.”

Another tactic relies on enumeration variables which allow attackers to determine the Office version by comparing them to certain values.

Microsoft Office provides users several enumeration variables for its macros containing predefined values, but some enumerations are only present in later versions making possible the check of the office version.

The tactic allows the attacker to avoid using the macro for certain Office versions, like Office 2007.

Another sandbox evasion tactic is based on the filename check in the macro. When automating the analysis of a file in a sandbox, the file is sometimes renamed to its MD5, SHA-1 or SHA-256 equivalent. The attackers check the filename length in the VBScript before triggering the malicious action. In presence of long filename that could reveal the use of a sandbox, the macro will not execute the malicious routines to evade detection.

All the techniques observed by the experts use PowerShell scripts to download and execute the final payload. In all cases analyzed by the researchers, the final payload was a variant of the Ursnif Trojan.

“Most of the samples analyzed have one thing in common—they run PowerShell script that downloads and executes another malware. For the samples we analyzed, the malware downloaded is a variant of the URSNIF malware (detected by Trend Micro as TSPY_URSNIF).” concluded Trend Micro

“However, these are not unique to one malware; it is possible that others may be downloaded. As malware and their delivery methods continue to evolve, security must be updated as well.”

Pierluigi Paganini

(Security Affairs – Ursnif Banking Trojan, cybercrime)