Connect with us

Hi, what are you looking for?


Malware & Threats

Ursnif Banking Trojan Uses New Sandbox Evasion Techniques

The actor behind the Ursnif banking Trojan has been using new evasive macros in their latest infection campaign, demonstrating continuous evolution of tools and techniques, Proofpoint researchers reveal.

The actor behind the Ursnif banking Trojan has been using new evasive macros in their latest infection campaign, demonstrating continuous evolution of tools and techniques, Proofpoint researchers reveal.

In the latest observed distribution campaign, the Trojan is dropped onto the victim’s computer via weaponized Word documents. Before the infection takes place, however, the malicious macros in these documents check the machine to ensure that the Trojan can successfully evade detection and hinder analysis.

Previously, the threat would check for the public IP address of the infected machine and for the number of accessed Microsoft Word files to determine whether it was running inside a virtual environment. Now, the actor behind it, known as TA530, decided to add new sandbox evasion checks to the malicious macros, to better tailor the threat for evasion, researchers explain.

Following the recent update, the macro checks whether the filename contains only hexadecimal characters before the extension and ensures that there are at least 50 running processes with a graphical interface via Application.Tasks.Count. Moreover, it includes a process blacklist using Application.Tasks and has also expanded the list of strings it checks using MaxMind.

In the newly spotted campaign, the threat actor also used a Painted Event control (observed as Img_Painted) for macro execution when the user opened the document. Usually, malware uses autorun options for macro execution like Document_Open(), but Ursnif has decided to adopt said ActiveX control instead.

This week, a highly personalized spam campaign associated with this threat has been observed utilizing company names, personal names, titles, etc., to deliver the malicious Word documents. To lure the unsuspecting user to enable the macro, the document claims to be protected against unauthorized use. Once the user allows the macro to run, Ursnif ID “30030” is dropped, targeting Australian banking sites with web injects.

Following the update, the malicious macro checks if the Word filename contains only hexadecimal characters, because files submitted to sandboxes often use SHA256 or MD5 hash as the filename. Thus, the malicious payload is dropped onto the target system only if the filename contains letters after “f”, underscores, or spaces and if an extension is appended to it.

The macro also checks the number of running processes with a graphical interface, because real systems usually have more than 50 tasks, while sandboxes have as few as possible. Next, the macro performs a case-insensitive check against a blacklist of processes that could be present in a sandboxed environment, such as “fiddler”, “vxstream”, “vbox”, “tcpview”, “vmware”, “process explorer”, “vmtools”, “autoit”, “wireshark”, “visual basic”, and “process monitor”.

Advertisement. Scroll to continue reading.

The macro also abuses the well-known geo-location service MaxMind to check whether the target machine is located in Australia, because it is targeting only this country in the latest campaign. More specifically, the macro checks that the results returned by MaxMind include “OCEANIA,” the region of the tropical Pacific Ocean that includes Australia.

The results are checked against an expanded list of blacklisted networks and the infection process is dropped if the target machine is located in one of these networks. Interestingly, in addition to security vendors, the list also includes networks belonging to “hospital”, “university”, “school”, “science”, “army”, “veterans”, “government”, and “nuclear.” Most probably, this check was included to minimize exposure to researchers and military or government entities, researchers say.

The actor behind this Ursnif campaign is also responsible for various other large-scale personalized attacks and is constantly adding new evasion techniques to the malicious macros used in infection campaigns. At the moment, the actor appears focused on preventing the execution of its malware on sandbox systems and on avoiding networks associated with security vendors and other entities.

“Over the last few years, malware sandboxes have become a more common component of the defenses that organizations and enterprises deploy to protect their users and their data. As the examples from this analysis demonstrate, threat actors are concentrating their research and innovation of malware sandbox evasion in an effort to remain ahead of their victims’ defenses,” Proofpoint researchers concluded.

Related: New Ursnif Variant Shows Developers Are Careless

Related: Multiple Banking Trojans Assault Users in Canada

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.