Netskope Threat Research Labs has discovered another campaign of URSNIF-dropping SPAM. The attack is designed to evade security products such as IPS and Sandboxes. Though in the past, we have blogged about similar campaigns, this iteration uses enhanced evasion techniques. The attack begins as an email with password protected Word file attachments, which is detected as Backdoor.Spamdoccryptd.BC, and results in the URSNIF family of data theft malware, detected as Backdoor.Generckd.5086438 by Netskope Threat Protection.
Initial Stage of Attack
The attack originates as a spam message containing a password protected attack attachment. This encrypted attachment would be detected by Netskope Threat Protection as Backdoor.Spamdoccryptd.BC. An example of the attack spam can be seen in Figure 1.
Figure 1: SPAM email containing password protected Microsoft Word document file.
Analysis of Malicious Word Document
The malicious Word document is password protected, a frequently used trick designed to bypass antivirus and sandbox inspection engines. On entering the password, the document asks to enable edit mode as shown in Figure 2.