Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Ursnif Trojan Uses New Malicious Macro Tactics

Recently observed distribution campaigns featuring the Ursnif banking Trojan were using new malicious macro tactics for payload delivery, Trend Micro has discovered.

Recently observed distribution campaigns featuring the Ursnif banking Trojan were using new malicious macro tactics for payload delivery, Trend Micro has discovered.

Malicious macros have been used for over a decade for malware distribution, and have become highly popular among cybercriminals over the past several years, despite Microsoft’s efforts to block them. They are used to drop all types of malware, including banking malware, ransomware, spyware, and backdoors.

The normal infection chain when malicious macros are used involves tricking the victim into enabling the macro in the document received via spam email. Next, malicious code (usually PowerShell) is executed to download and run the final payload.

The effectiveness of macros as a delivery method inspires miscreants to continue to use the technique and improve it, in an attempt to evade detection and hinder analysis. Ursnif’s operators have already shown a focus on evading sandbox detection, and recently adopted checks that allow them to do so.

One employed tactic is the use of AutoClose, which can run the PowerShell script after the document was closed, thus preventing detection that focuses on analyzing the macro itself. The method is easy to implement and Trend Micro says it is becoming a common feature in many malicious macros.

“After coercing the victim to enable macros, the macro waits for the would-be victim to close the document and only then will PowerShell execute. Sandbox detections might miss the malicious behavior since the malicious routines will only run after the document is closed,” the researchers say.

Another detection evasion technique involves enumeration variables, which allow attackers to check the Office version by comparing them to certain values, given that some of these variables are only present in later versions of Microsoft Office. One specific enumeration variable allows attackers to detect Office 2007, which is commonly used in sandboxes for automated analysis. Thus, if Office 2007 is detected, the macro won’t deploy.

Another sandbox evasion tactic involves the use of a filename check in the macro. This method is meant to counter sandboxes where the file is renamed to its MD5, SHA-1, or SHA-256 equivalent. Thus, if the script detects a long filename, the macro won’t execute the malicious routines.

The one thing that these samples had in common was the use of PowerShell scripts to download and execute the final payload. In all cases, that was a variant of the Ursnif Trojan, but other malware could also use them, the researchers admit.

“However, these are not unique to one malware; it is possible that others may be downloaded. As malware and their delivery methods continue to evolve, security must be updated as well. Users need to be protected with the latest solutions that can combat new and evolving threats,” Trend Micro concludes.

Related: Windows 10 Can Detect PowerShell Attacks, Says Microsoft

Related: Office Loader Uses Macros to Drop Array of Malware

Related: Macro Malware Comes to macOS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.