Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Ursnif Trojan Uses Fileless Persistence and CAB for Stealthily Data Exfiltration

In addition to employing a fileless attack technique, the Ursnif Trojan has been using CAB files to compress harvested data before exfiltration in recent attacks, Cisco Talos security researchers reveal. 

In addition to employing a fileless attack technique, the Ursnif Trojan has been using CAB files to compress harvested data before exfiltration in recent attacks, Cisco Talos security researchers reveal. 

The Trojan has been around for over half a decade, mainly focused on stealing users’ banking credentials, along with other sensitive information from the infected systems. 

Ursnif, Talos says, is “one of the most popular malware that attackers have deployed recently.”

The recently observed Ursnif distribution campaign leveraged a Microsoft Word document containing a malicious VBA macro for the distribution of the malware. The document contains an image that asks the intended victim to enable content.  

If Office already allows such code to run, the macro is automatically executed when the document is open, via the AutoOpen function, Talos’ researchers say. 

Mostly obfuscated, the macro contains one line of code to accesses the AlternativeText property of the Shapes object “j6h1cf,” a base64-encoded PowerShell command to download Ursnif from its command and control (C&C) server and to execute it. 

Registry data is created for the next stage and Windows Management Instrumentation Command-line (WMIC) is used to run PowerShell to extract the value of the APHohema key, which is a hexadecimal-encoded PowerShell command. 

This command creates a function later used to decode base64-encoded PowerShell, creates a byte array containing a malicious DLL, and executes the base64-decode function. This results in another PowerShell, which is run by the shorthand Invoke-Expression (iex) function to execute an Asynchronous Procedure Call (APC) Injection.

The injection first allocates memory for the malicious DLL with VirtualAllocEx, targeting the current process, then copies the malicious DLL into the newly allocated memory. 

After the infection process has been completed, the malware makes C&C requests over HTTPS. Analysis of this traffic reveals the use of the CAB file format to store the harvested data prior to exfiltration. 

“Ursnif is a fan of ‘fileless’ persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic. Additionally, Ursnif uses CAB files to compress its data prior to exfiltration, which makes this malware even more challenging to stop,” Talos concludes.

“This is just the latest example of how anti-virus and signature-based security tools are easily bypassed by creative hackers,” Ray DeMeo, Co-Founder and COO at Virsec, told SecurityWeek. “There are hundreds of sophisticated hacker tools readily available, that can be morphed into endless numbers of new-looking attacks with new signatures that aren’t recognized. We need to assume these threats will continue to get through and focus on stopping what the attackers are trying to achieve – corrupting applications, stealing valuable data or causing business disruption. We need to move beyond endless threat chasing to definitively protect the crown jewels – critical applications and infrastructure.”

Related: Popular Banking Trojans Share Loaders

Related: Fileless Malware Attacks on the Rise, Microsoft Says

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.