• Cyble Research and Intelligence Labs (CRIL) has identified a malicious campaign likely targeting business professionals across the United States.
• The campaign employs a malicious LNK file, masquerading as a PDF with encoded data. This file is decoded by leveraging certutil.exe, which then delivers the next-stage payload: an HTA file.
• The HTML Application (HTA) file contains VBScript that extracts and executes a lure document and a malicious DLL file, both embedded within the HTA file.
• The DLL file acts as a Loader, decrypting the subsequent payload and shellcode, which are responsible for executing the Ursnif core component.
• The Threat Actor (TA) behind this campaign uses a multi-stage operation that executes entirely in memory, effectively evading detection by security products.
• The final payload file (DLL) is identified as Ursnif malware, capable of establishing a connection with the C&C server and downloading additional modules to steal sensitive information from the victim’s machine.