Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Ursnif Trojan Uses Fileless Persistence and CAB for Stealthily Data Exfiltration

In addition to employing a fileless attack technique, the Ursnif Trojan has been using CAB files to compress harvested data before exfiltration in recent attacks, Cisco Talos security researchers reveal. 

In addition to employing a fileless attack technique, the Ursnif Trojan has been using CAB files to compress harvested data before exfiltration in recent attacks, Cisco Talos security researchers reveal. 

The Trojan has been around for over half a decade, mainly focused on stealing users’ banking credentials, along with other sensitive information from the infected systems. 

Ursnif, Talos says, is “one of the most popular malware that attackers have deployed recently.”

The recently observed Ursnif distribution campaign leveraged a Microsoft Word document containing a malicious VBA macro for the distribution of the malware. The document contains an image that asks the intended victim to enable content.  

If Office already allows such code to run, the macro is automatically executed when the document is open, via the AutoOpen function, Talos’ researchers say. 

Mostly obfuscated, the macro contains one line of code to accesses the AlternativeText property of the Shapes object “j6h1cf,” a base64-encoded PowerShell command to download Ursnif from its command and control (C&C) server and to execute it. 

Registry data is created for the next stage and Windows Management Instrumentation Command-line (WMIC) is used to run PowerShell to extract the value of the APHohema key, which is a hexadecimal-encoded PowerShell command. 

This command creates a function later used to decode base64-encoded PowerShell, creates a byte array containing a malicious DLL, and executes the base64-decode function. This results in another PowerShell, which is run by the shorthand Invoke-Expression (iex) function to execute an Asynchronous Procedure Call (APC) Injection.

The injection first allocates memory for the malicious DLL with VirtualAllocEx, targeting the current process, then copies the malicious DLL into the newly allocated memory. 

After the infection process has been completed, the malware makes C&C requests over HTTPS. Analysis of this traffic reveals the use of the CAB file format to store the harvested data prior to exfiltration. 

“Ursnif is a fan of ‘fileless’ persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic. Additionally, Ursnif uses CAB files to compress its data prior to exfiltration, which makes this malware even more challenging to stop,” Talos concludes.

“This is just the latest example of how anti-virus and signature-based security tools are easily bypassed by creative hackers,” Ray DeMeo, Co-Founder and COO at Virsec, told SecurityWeek. “There are hundreds of sophisticated hacker tools readily available, that can be morphed into endless numbers of new-looking attacks with new signatures that aren’t recognized. We need to assume these threats will continue to get through and focus on stopping what the attackers are trying to achieve – corrupting applications, stealing valuable data or causing business disruption. We need to move beyond endless threat chasing to definitively protect the crown jewels – critical applications and infrastructure.”

Related: Popular Banking Trojans Share Loaders

Related: Fileless Malware Attacks on the Rise, Microsoft Says

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.