Ursnif Banking Trojan

A recent spam campaign has been observed delivering the Ursniff banking trojan, luring users in with alleged parking violations and speeding fines.

Ursnif is an information stealing trojan capable of recording all keystrokes, websites visited, information saved in the Windows clipboard and what programs are being run. All data is saved to a log file and sent back to the attacker.

Ursnif can be delivered in a variety of ways including spam, exploit kit, redirection attacks but the favoured delivery method remains to be spam emails with malicious attachments. The attackers use a spam bot network and compromised web servers to distribute Ursnif.

A new malspam campaign is targeting users with URSNIF malware. In this campaign, the actors behind the URSNIF malware are using Microsoft Office file attachments with malicious macros to deliver the malware. The attachments are using the “AutoClose” feature will begin when a user closes the attachment that will run malicious a Powershell script to download and execute the malware.


  • Ensure that links or attachments are not opened from untrusted sources. Where it is necessary, try and make contact with the sender to confirm its legitimacy.
  • Ensure that malware definitions are kept up-to-date.
  • Ensure that users can only run programs at an appropriate level of privilege.
  • Ensure that cyber-awareness training is kept up-to-date.
  • Ensure regular backups are made, and stored away from the network.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: