If you haven't heard of Ursnif, you may soon. There is a new Phishing attack that takes social engineering deception to a new level, and Ursnif is behind it. This Trojan can hijack credentials via man-in-the-browser attacks, keylogging, or screenshot capture.

Advanced Spear Phishing

We've seen Trojans like this before (e.g. Emotet), but what makes this attack so novel is that the phishing attack actually comes in the form of a reply to an existing email thread from a trusted source. Imagine how hard that would be to decipher in the middle of a busy day. Essentially, the text written by the attacker and the request to enable macros in the attached Word document would be the only clues that something is amiss.

The phishing email actually attaches a macro-enabled Word file and asks the user to enable it when opening the file. That macro then launches PowerShell, which downloads the Ursnif payload.

Barkly broke the story, and their observation is that this new variant of Ursnif (often used as a banking Trojan) has "a very low detection rate among security products." In fact, Ursnif has been known to evade sandboxes and replicate the speed and cadence at which users type to evade behavioral biometrics.

Today's Attack Landscape Necessitates CDR More Than Ever

Clearly, there is already good evidence that anti-malware multi-scanning, which can detect some suspicious macros, and DMARC (SPF and DKIM) are important tools in the fight against email-based attacks.

But it's because of attacks like these that we believe Content Disarm and Reconstruction (CDR) is ready for a massive growth spurt. While the technology has been around for some time, several factors make it poised to take off:

1. Advanced hackers, such as state-sponsored attackers and organized cyber criminal gangs, have turned to traditional means of attack such as spear phishing – email and malicious attachments are their preferred way of attacking enterprises.
2. Email security gateways and sandboxes have been in place for some time, but advanced security threats are getting through.
3. Social engineering from attackers is becoming more ingenious, as this example proves.
4. Web drive-by downloads initiated from a malicious link in an email are one of the most common ways advanced attacks like ransomware are spreading.

At this point, we believe the market needs a more reliable approach for handling Advanced Security Threats that initiate from files such as productivity documents and images (steganography attacks). CDR is a cost-effective way to implement security enforcement for both web-based and email-based transmission of viruses, Trojans, keystroke loggers, and other forms of malware. CDR disables macros, hyperlinks, and all other types of active content.

OPSWAT has had CDR technology for over 5 years and provides several market-leading features. We call our CDR feature "data sanitization," and it is the primary technology of our Metadefender platform, enabling it to prevent Advanced threats in addition to improved detection with multi-scanning.

To learn more about data sanitization, click here to see a video example or here to read more on our web page.