Ursnif Trojan

Ursnif is an information stealing trojan capable of recording all keystrokes, websites visited, information saved in the Windows clipboard and what programs are being run.

Threat ID:: CC-1428
Category:: Spyware, Trojan
Threat Severity:: Medium
Threat Vector:: Spear phishing, Email spam, Drive by download
Published:: 24 May 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Ursnif is an information stealing trojan capable of recording all keystrokes, websites visited, information saved in the Windows clipboard and what programs are being run.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

All data is saved to a log file and sent back to the attacker.

Ursnif can be delivered in a variety of ways including spam, exploit kit, redirection attacks but the favoured delivery method remains to be spam emails with malicious attachments.

Threat updates

Date	Update
25 Oct 2017	New Ursnif campaign A new malvertising campaign is targeting users with Ursnif malware. In this campaign, the actors behind the Ursnif malware are using Microsoft Office file attachments with malicious macros to deliver the malware. The attachments are using the "AutoClose" feature will begin when a user closes the attachment that will run malicious a PowerShell script to download and execute the malware.

Date

Update

25 Oct 2017

New Ursnif campaign

A new malvertising campaign is targeting users with Ursnif malware. In this campaign, the actors behind the Ursnif malware are using Microsoft Office file attachments with malicious macros to deliver the malware. The attachments are using the "AutoClose" feature will begin when a user closes the attachment that will run malicious a PowerShell script to download and execute the malware.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Last edited: 4 March 2021 1:50 pm