A large SPAM campaign is underway where victims receive an email that pretends to be a requested invoice and contains a password for a password protected encrypted Word document attachment. These password protected word documents contain embedded VBScript files that will download and install the Ursnif keylogger.

When Word documents are password protected, they also become encrypted. Malware distributors are hoping that by sending these encrypted Word documents they will be harder to detect by security software. You can see an example of one of the malicious SPAM emails that was provided to me by Zenexer.

SPAM Email
SPAM Email

Enclosed in the SPAM email is the password that a recipient needs to use in order to open the attachment. The text of these SPAM emails is:

Please review report created for email@email.com as you asked.

The Transfer will be posted in 40 minutes. Please see the invoice in attachment. 

You have to enter it to be able to open the document.

When a target opens the attachment they will be presented with a prompt to enter the password as shown below.

Attachment Password Prompt
Attachment Password Prompt

Once a password is entered, a user will be presented with a Word document that appears to contain three other embedded documents. 

Opened Attachment
Opened Attachment

If a user clicks on the attachments, though, instead of a normal document opening, they will instead be presented with a prompt to run a VBScript file as shown below.

Run a VBScript File Prompt
Run a VBScript File Prompt

If the user continues by pressing the Open button, it will launch a script that downloads a DLL to the %AppData% folder and installs the the Ursnif keylogger.

Installing Ursnif
Installing Ursnif

When Ursnif is installed, the DLL will be copied to %UserProfile%\AppData\Roaming\Microsoft\CryplAPI\aeevtall.dll and an autorun will be created the loads the DLL on login. This autorun is:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\apss3dlg	rundll32 "%UserProfile%\AppData\Roaming\Microsoft\CryplAPI\aeevtall.dll",DllRegisterServer

Once started, Ursnif will record your keystrokes, programs you open, files you create, and data you copy into the Windows clipboard and save them into logfiles in the %Temp% folder. These log files will have random file names that end with the .bin extension. For example, a log file could be called ja71.bin. These files are actually archives that can be extracted to see the data that will be sent to a TOR server under the malware developers control.

It is important that everyone be smart about opening attachments they receive. If an attachment looks suspicious or from an unknown person, it would be wise to not open it at all. If it is from someone you know and is asking you to enable macros or perform some other strange behavior, you may want to reach out to the sender to confirm they actually sent you the email.